The Defense Department is providing new details on elements of its Cybersecurity Maturity Model Certification program through presentation slides on alignment with National Institute of Standards and Technology standards and a 2023 memo on equivalency with the General Services Administration’s FedRAMP program.
The first slide deck goes through aligning CMMC with NIST Special Publication 800-171 Rev. 2 and the scoring system for NIST 800-171 Rev. 2 using the DOD assessment methodology. DOD provides information on alignment with NIST 800-172 and the use of organization defined parameters.
DOD provides guidance on the transition to NIST 800-171 Rev. 3, which was published while the CMMC rulemaking process continues. DOD issued a class deviation in May 2024 to keep the CMMC requirements aligned with NIST 800-171 Rev. 2.
“DoD will formally adopt Rev. 3 through future rulemaking,” according to the slides. DOD states that the class deviation will remain in place until NIST 800-171 Rev. 3 is “officially adopted.”
In addition, the slides say DOD will be developing a “new scoring methodology” for NIST 800-171 Rev. 3.
Meanwhile, DOD says organizations can take steps to “proactively implement” NIST 800-171 Rev. 3 but they must “[m]ust still meet Rev. 2 requirements for compliance and assessments.”
To prepare for the transition, DOD says organizations can conduct a gap analysis between Rev. 2 and Rev. 3 and update their system security plans and security controls accordingly.
The slides were cleared for publication on Jan. 21 and recently published on DOD’s CMMC website.
Another recent slide deck goes through FedRAMP authorization and equivalency with information on cloud requirements for the defense industrial base. DOD issued a memorandum in 2023 detailing FedRAMP equivalency requirements for the CMMC program.
The slides go through roles and responsibilities under the memo for the DIB contractor, a FedRAMP-recognized third party assessment organization, DCMA’s Defense Industrial Base Cybersecurity Assessment Center and a certified third party assessment organization under CMMC.
DOD encourages cloud service providers to engage with a FedRAMP-recognized C3PAO early, conduct a “readiness assessment before formal testing” and “[m]aintain strong internal governance for security documentation and incident reporting.”
A third set of slides offers guidance on the technical application of CMMC requirements. It starts with details on external service providers and explains implications for infrastructure-as-a-service providers, along with implementations for managed security service providers.
There is additional content on cloud service providers and how they are different from ESPs and MSPs. DOD also goes into detail on contractor risk managed assets and describes the category different between CMMC levels two and three for CRMAs.
DOD also posted a set of slides from a Feb. 12 presentation at the DOD Cybersecurity and SAP IT Summit. The slides provide an overview of the Supplier Performance Risk System, which will be used by DOD acquisition officials to get details on CMMC status for individual companies.
Another set of slides from the summit offer an introduction to the CMMC Enterprise Mission Support Service, which is the data repository for CMMC assessments and supporting data. DOD says, “CMMC eMASS is also the engine for tracking assessments, Plans of Actions and Milestones (POA&Ms), and appeals actions, and is a mechanism used for reporting/tracking CMMC metrics.”
The last set of slides was cleared for publication approximately a month earlier than the other presentations. DOD provides criteria for CMMC levels and goes through selecting CMMC level two requirements. -- Sara Friedman (sfriedman@iwpnews.com)