Rose Ketchum’s Post

CMMC Final Rule Published: What This Means for MSPs The CMMC Final Rule has been pre-published in the U.S. Federal Register, with official publication on October 15. This update brings a critical change for MSPs supporting defense contractors. The original proposal required MSPs to pass a Level 2 or 3 CMMC assessment at the same level as their clients, or the clients would fail. But the final rule changes that: If an MSP (or any External Service Provider) does not process, store, or transmit Controlled Unclassified Information (CUI), they will not need their own CMMC assessment. Instead, their services will be assessed as part of the defense contractor's certification. What this means for MSPs: If you or your vendors aren't handling CUI, you're not on the hook for a costly Level 2 assessment. I'll share more once I've had time to dive into the full 470-page document, but feel free to reach out with any immediate questions.

CMMC Final Rule Published: What This Means for MSPs The CMMC Final Rule has been pre-published in the U.S. Federal Register, with official publication on October 15. This update brings a critical change for MSPs supporting defense contractors. The original proposal required MSPs to pass a Level 2 or 3 CMMC assessment at the same level as their clients, or the clients would fail. But the final rule changes that: If an MSP (or any External Service Provider) does not process, store, or transmit Controlled Unclassified Information (CUI), they will not need their own CMMC assessment. Instead, their services will be assessed as part of the defense contractor's certification. What this means for MSPs: If you or your vendors aren't handling CUI, you're not on the hook for a costly Level 2 assessment. I'll share more once I've had time to dive into the full 470-page document, but feel free to reach out with any immediate questions.

Since the release of SP 80-171r3, there has been a lot of discussion on Organization-Defined Parameters or ODPs. ODPs are new to SP 800-171, but not new to security control sets. They’ve been around since 2005 with the introduction of SP 800-53. I’ve spoken to several people that say they can’t begin preparing for SP 800-171r3 because the [insert federal agency] has not defined the ODPs. However, many agencies and the FedRAMP PMO have already defined ODPs for SP 800-53r5 which is the source of SP 800-171r3; therefore, we have an indication of what to expect for SP 800-171 ODPs. Not sufficient? #NIST is one step ahead of you. SP 800-171r3 states “If a federal agency or a consortium of agencies do not specify a particular value or range of values for an ODP, nonfederal organizations must assign the value or values to complete the security requirement.” Therefore, you get to decide the ODP values when guidance isn’t available. There are many reasons not to worry about SP 800-171r3 today (e.g., #DFARS Class Deviation, no FAR Mandate – yet, still working on implementing SP 800-171r2, #CMMC); however, not having ODP values isn’t one of them. If you need help implementing SP 800-171, reach out. I’d be happy to discuss how Optic can help you implement SP 800-171r2 today while keeping an eye towards the future, so you don’t have to rip and replace when SP 800-171r3 becomes a requirement. Also, if you’re just getting started, check out our template for capturing what you’re already doing against SP 800-171r3 here: https://lnkd.in/eyV3XNpz #SP800171 #SP80053

For folks wondering about CMMC Level 1,Level 2, rule-making, and self-assessment or third party assessments. What if we switched up the mindset? Simply by writing your own or working with a consultant on an SSP you are already assessing. You are building assurance cases with multiple assessment objectives to prove you have adequate and sufficient evidence that all 320 security requirements of NIST-SP-800-171 get met. If something is not met, you make a plan to get it met. That is a self-assessment. Engineering trust is an assessment of the systems we engineer.

Top Hurdles for MSSPs and One Shining Solution As one of many MSSPs, you're aware of challenges that make your work difficult. Learn how the CIS Controls Accreditation can help. via: https://lnkd.in/gayYuzfm

Great information to prepare for your CMMC journey.

DoD contractors must maintain CMMC assessment evidence for 𝟲 𝘆𝗲𝗮𝗿𝘀. What a peculiar period of time, right? Why would the DoD pick six years? Turns out they didn't - the 𝘿𝙚𝙥𝙖𝙧𝙩𝙢𝙚𝙣𝙩 𝙤𝙛 𝙅𝙪𝙨𝙩𝙞𝙘𝙚 did. I don't think people appreciate the level of interagency coordination that goes into rules before they are published. There is a whole process of interagency concurrence, coordination, and commenting that happens long before a rule is published. Looks like the DOJ is particularly interested in making sure contractors maintain a careful record of exactly what went down in their assessments (internal and external, btw). Why might that be? Anyways, from the rule: - You, the contractor, are responsible for maintaining and hashing all artifacts that supported the assessment. - Assessors and C3PAOs do not retain assessment artifacts, they only retain the hash value captured during the assessment process. - It's up to the contractor to determine the best way to ensure artifact availability during the six-year retention period. Pop quiz: where can you find a long list of examples of evidence used during an assessment of NIST SP 800-171 requirements? Correct answers get bonus points with DOJ (they lurk my posts 👋).

Question for the CMMC community out there... on page 440 of the final CMMC rule, it states: (2) Security requirement re-evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 2 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist: (i) Additional evidence is available to demonstrate the security requirement has been MET; (ii) Cannot change or limit the effectiveness of other requirements that have been scored MET; and (iii) The CMMC Assessment Findings Report has not been delivered. Does this mean that when a CCA/CCP finds ANY objective NOT MET, even 3s or 5s, that the organization has 10 days to fix and become compliant and then be re-evaluated? Are there limitations to this? I see (i) being interpreted several ways, one being the additional evidence is immediately available, or it will be available within the 10 days. Would like your thoughts.

#CMMC tidbit for today. CMMC Self Assessments must be done using the CMMC assessment method just as if you were a CMMC assessor. In fact the regulation specifically states that when conducting a self assessment the OSC is the assessor and with that designation come obligations. “All requirements that were scored “NOT MET” and placed on the POA&M must be remedied within 180 days of receiving their Conditional CMMC Status.” 32CFR179 pg 7 of original PDF. This means that POAM items have a deadline even for self assessments and although you can achieve the minimum score of 88 on a self assessment, you then must remediate those and achieve 110 within 180 days. This is a big change from the method we are using today for SPRS score, where there is no minimum score, and there is no timeline for remediation. The enforcement for this is the False Claims Act and other "contractual remedies." Per a DoD 2022 memo, "Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole. Contracting Officers should consult with legal counsel as well as the program office or requiring activity to discuss appropriate remedies for the specific circumstances surrounding individual contracts." But how will they know? Who will really enforce that? My new favorite phrase is, "Someone will check your homework eventually." I think most #DIB contractors will have at least one if not more contracts that extend a certification a requirement. C3PAOs are required to notify DoD when they are going to assess a contractor, and what the results are when they do. There is a high likelyhood that someone from outside will in fact check your work. If there is a large delta between your self reported score and your assessed score... those contractual remedies could become very real. https://lnkd.in/eduYG-zJ

Great News From #CMMC They are moving to the finish line. CMMC Final Rule moves to OIRA review (cmmcaudit.org) If you want to learn more about CMMC come to Https://ontechnologypartners.com