October 17, 2023

    The CMMC 2.1 Draft Unveiling: Insights & Key Takeaways

    You may remember July 2023 as an unexpectedly thrilling month in the cybersecurity world. The draft documents for the much-anticipated Cybersecurity Maturity Model Certification (CMMC) 2.1 were unintentionally published and, even though they were hastily retracted, it was not before we got a hefty dose of exciting insight on what the future may hold.

    Coming from the Department of Defense (DoD), the leaked documents highlight a crucial process where the feedback obtained from the Defense Industrial Base (DIB), the CyberAB, and the wider CMMC ecosystem may be accounted for. One thing that's clear from this unexpected preview is that the march towards a more secure digital landscape is far from slowing down—the government is keeping the gears of CMMC in full motion.

    Let's get into more detail about the potential changes that could come with the transition from version 2.0 to 2.1, based on the brief accidental reveal.

    1. Clearer Definition of External Service Provider (ESP)

    One of the standout revelations from the leaked documents is what appears to be a much-needed clarification on the role and definition of an ESP. An ESP—most commonly recognized as a Managed Service Provider (MSP), a Managed Security Services Provider (MSSP), or any organization dealing with Controlled Unclassified Information (CUI) or Security Protected Data for the Organization Seeking Certification (OSC)—has always been somewhat ambiguous in terms of context and guidelines. The forthcoming version of CMMC looks set to put an end to this ambiguity, which could be a huge relief for organizations wrestling with correctly defining their environments.

    According to the leaked version, the definition of what constitutes an ESP is expected to form part of the final rule-making under 32 CFR 170. This precision should provide much-needed clarity and guidance that organizations have been seeking when it comes to properly scoping their digital environments according to the CMMC.

    2. Stricter Requirements for ESP Certification

    Perhaps more eyebrow-raising is the implication that ESPs must secure a degree of certification akin to that of the OSCs they're serving—a shift that is causing a degree of head-scratching across the industry. It's a significant game-changer, particularly as most ESPs, like CSPs, are not government contractors and so have not previously been beholden to the same strict regulations, such as those outlined in Defense Federal Acquisition Regulations (DFARS) 252.204-7012.

    So, the million-dollar question raised by this potential new requirement: might ESPs need to develop and demonstrate compliance programs in line with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171? The answer could very well be a resounding 'yes'.


    How Should Organizations Prepare?

    Despite these potential changes, the bedrock of cybersecurity requisites remains as it has been. The basic requirements of DFARS 252.204-7012 and NIST SP 800-171 revision 2 continue to stand strong, underpinning the CMMC. So, no matter what happens, these are foundations that organizations will still have to build on. We’ve written extensively in the past on DFARS 252.204-7012, and many of the basic requirements, but here’s a helpful list:

    1. Safeguarding Covered Defense Information (CDI): Contractors must implement adequate security measures to protect CDI. CDI refers to unclassified controlled technical information or other sensitive information that is provided to or generated by the contractor in support of a Department of Defense (DoD) contract.

    2. NIST SP 800-171 Compliance: Contractors must implement the security controls specified in the National Institute of Standards and Technology (NIST) Special Publication 800-171, "Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations." These controls cover various aspects of cybersecurity, including access control, data encryption, incident response, and more.

    3. System Security Plan (SSP):  Contractors must create and maintain a System Security Plan (SSP) that documents how they are implementing the NIST SP 800-171 controls. The SSP should describe the security measures in place and how they are applied to protect CDI.

    4. Plan of Action and Milestones (POA&M): Contractors must also establish and maintain a Plan of Action and Milestones (POA&M) that identifies any security deficiencies or gaps and outlines a plan to address them. This is essentially a roadmap for achieving compliance with the NIST SP 800-171 controls.

    5. Incident Reporting:  Contractors are required to report any cyber incidents that affect CDI or the contractor's ability to perform on a DoD contract. The incident reporting timeline and process should be in accordance with the contract's terms and any specific guidance provided by the DoD.

    6. Flow Down Requirements: Contractors must flow down these cybersecurity requirements to subcontractors who will have access to CDI. This means that subcontractors must also comply with DFARS 252.204-7012 if they handle CDI.

    7. Security Assessments: The government may conduct security assessments or audits to ensure compliance with these requirements. Contractors must cooperate with these assessments and provide necessary documentation.

    8. Continuous Monitoring:  Contractors are expected to continuously monitor their systems and security controls to ensure ongoing compliance and protection of CDI.

    What's on the Horizon for the CMMC Ecosystem?

    The implication of these leaked changes goes beyond simply impacting ESPs and OSCs. Offering a hint at the wider reverberations, we can expect the landscape of cybersecurity education to be overhauled, especially for professionals certified under the CyberAB Cybersecurity Assessors and Instructors Certification Organization (CAICO).

    Reflecting on the shift from CMMC 1.0 to 2.0, we remember that significant training revisions were necessary—a process likely to be repeated with the introduction of CMMC 2.1. But this time, several additional certifications, like the Certified CMMC Professional (CCP) and the Certified CMMC Assessor (CCA), may need factoring in during the review and update of exams.

    One thing we can say with certainty from these anticipated changes: cybersecurity, just like technology, is ever-evolving. Ensuring to keep the CMMC model and its documentation updated with contemporary technologies, solutions, and threats is not just an option—it's a necessity. We've already witnessed a surge of Executive Orders focusing on cybersecurity matters, regular updates to the NIST publications, and now these potential advancements to CMMC. It's clear that the requirements for the DIB will perpetually evolve and adapt, reinforcing the lifeline of cybersecurity in the modern age.

    Sailing Through Cybersecurity Regulations with Sharetru: Your Reliable Partner in File Sharing

    Here at Sharetru, we've been a beacon in the cybersecurity space, leading the way in helping organizations fulfill NIST 800-171 requirements for file sharing since 2018. Our credentials are not light; in fact, we've accomplished our FedRAMP moderate equivalency System Security Plan (SSP) that aligns with DFARS 252.204-7012. That's a clear demonstration of our commitment to your security.

    Should your current data transfer routine already involve Sharetru, there's more good news for you. You're already in an exceptional position to meet future demands, even before they become official. Our systems already adhere to the most stringent standards, ensuring you're ahead of the pack when new regulations roll out.

    If you're yet to benefit from Sharetru's capabilities, it's high time to consider us as your CMMC go-to file transfer solution. Aligning with Sharetru means a more seamless journey to compliance with evolving cybersecurity regulations.

    Looming changes, such as the potential need for External Service Providers (ESPs) to attain certain levels of certification, are on our radar. Rest assured, should this development materialize, Sharetru is poised to adapt swiftly, showing unwavering commitment to maintaining the trusted partnership we've built with our clients. Staying compliant in an ever-evolving cyber landscape is easier when you're aboard the Sharetru ship.

    Arvind Mistry

    Arvind, Sharetru's Director of Compliance, brings 11+ years' experience in cloud solutions for Federal Govt. & public sector from esteemed companies.

    Other posts you might be interested in

    View All Posts