The Department of Defense published two detailed guides on how contractors will have their networks inspected to continue earning contracts once new regulations are added to contracting rules.
The Cybersecurity Maturity Model Certification assessment guide for level one and two requirements will cover the vast majority of contractors in DOD, with level one being a self-assessment and level two requiring some to get a third-party assessment, according to the documents. The assessment guides are new to “CMMC 2.0” which comes after changes were made by the department to pair down the contractor cybersecurity program.
The self-assessment guide for level one of CMMC closely resembles a guide from the National Institute for Standards and Technology, Johann Dettweiler, director of operations at TalaTek, a certified assessment organization said.
“Honestly, it’s a waste of time and money. It’s NIST 800-171A. I am not sure why the Department of Defense felt the need to waste resources and effort on re-branding a framework that already exists,” Dettweiler he said.
He added that it seemed out of reach for contractors without a security background to conduct the self-assessment.
“I don’t think most non-experts will be able to implement the required level of security. It’s too difficult for someone not well versed in security to determine their boundary, implement the controls at the component level for that boundary, and then perform an honest self-assessment,” he said.
The level two assessment guide is much deeper and more complex, as it contains more security controls and targeted at certified assessors that will need to verify contractor compliance. The CMMC Accreditation Body, a separate entity from DOD, is responsible for accrediting the assessors and assessor organizations that will conduct inspections on roughly 40,000 contractors that handle sensitive data.
The scope of inspections will require documentation and other forms of proof from contractors to show they are meeting security controls, according to the guidance.
“During the CMMC assessment, the certified assessor will verify and validate that the contractor has properly implemented the practices,” according to the document.
The goal is to ensure “maturity,” as CMMC’s name implies, of cyber practices and not just compliance. The DOD is currently working through the rule making process in order to be able to add the requirement to contracts in the coming years.