Tag Archives: CMMC

DoD CMMC Update

To say that DoD’s plans to enhance the cybersecurity practices of the defense industrial base have not gone exactly as planned would be polite.

White House Executive Order 13556, creating controlled unclassified, was issued in 2010. 12 years later, DoD is still wrestling with the issue.

DFARS 252.204-7012, which mandated NIST 800-171 compliance, became effective in 2017.

CMMC version 1 was issued in late 2020 as an interim final DFARS. It never really went into effect.

CMMC version 2 was released in November 2021. It tried to simplify CMMC 1.0 and did, to an extent. But within months, they realized that a key part of it (splitting CUI compliance into two parts – one which could be self-certified and one that required third party certification) – was unworkable.

So where is it now?

CMMC 2.0 is now in the “rulemaking process” under Title 32. This process is required for all federal regulations and is really complicated. After that, it has to go through the Title 48 process which governs the Federal Acquisition Regulations process.

Stacy Bostjanick, who has been trying to shepherd CMMC since the beginning is hoping the changes that come out of the rulemaking process are minor changes to what was released a few months ago. No guarantees.

She says that she is hoping that they will be allowed, one more time, to create another “interim final rule”. Hoping.

They are trying to reduce the number of companies that will require expensive third party certifications from maybe 300,000 to 100,000, but right now there are only a dozen companies who have been approved to certify contractors. You do the math.

On top of that, DoD’s contracting officers have not been well trained at understanding and documenting what is CUI. And communicating that to contractors. You can’t communicate what you don’t understand.

Many folks believe that what will come out of this rulemaking process, which is based on NIST SP 800-171 version 2, will likely look a lot like what went in. I think this is probably right.

This means that small businesses will need to make a costly decision about whether they stay in the defense business. Many will leave. In the last six years, the number of small businesses in the defense sector has shrunk by nearly a quarter.

Unfortunately, DoD is boxed in. The problem is real and there is no simple fix. Ignoring security is not a plan. Neither is asking contractors to pinky-swear that they are doing what they should be doing.

The rules are expected to emerge from the rulemaking process in May. May 2023 that is. 13 months from now. They anticipate submitting the proposed rules in July of this year.

The Pentagon is talking to international partners. The UK has a “similar” program called the Cyber Essentials program. The Pentagon wants to compare the two programs. The Pentagon would like everyone to roll over to their desires, but that is unlikely to happen. This means that there will be differences, country to country. Contractors that do business in multiple countries will have even more paperwork – and cost – to deal with.

DoD is trying to incentivize contractors to get certified now. In part this is because, if everyone waits, the size of the queue will be that much longer. That means that if people wait for the rule to come out and get documented, then it will be longer before any number of people get certified. That means the DoD would have to choose between dropping the contract requirement or picking a less qualified, more expensive vendor who is certified. What a mess. DoD’s hands are somewhat tied in this process. They cannot offer contractors money to get certified, but they can say that vendors who are certified will rank higher in the review process than ones that are not certified. They can also say, MAYBE, that if you get certified now your certification will last longer, say, instead of three years from now vs. three years from once the standard is actually approved.

One thing that did come out in CMMC 2.0 is the concept of “waivers”. In CMMC 1.0 if you failed any controls, you failed the test. In CMMC 2.0 they are talking about waivers. Limited time, limited function, only for certain controls, maybe. They have admitted that given they do not want to shoot themselves in the head, they are going to be forced to issue waivers. They have said that each waiver will need to be individually approved by the service needing the product, which makes sense. Since some executive is going to put his or her name on a piece of paper, that by itself will limit waivers. The CURRENT plan is that waivers can’t be for more than 180 days. If there are a lot of waiver requests (there will be), that by itself will be a paperwork nightmare – both approving and tracking them. Also, since the waivers will be technical in nature, the service executive approving them will need someone to explain to him or her what the hell they are approving. A mess, in other words.

The Pentagon has created an internal deadline to submit the proposed rule to the OMB on May 4. That is step 1 in the process. Generally, they have been good at meeting those deadlines. Just barely.

They are hoping to kind of amend the -7019 and -7020 clauses instead of starting over and that is probably reasonable. But reasonable and government don’t necessarily match. It is possible that DoD will feel they need to close on a deal for the Part 32 rule before submitting the part 48 rule. That could drag things out.

We continue to tell clients to focus on 800-171 because that is VERY LIKELY to remain the core of whatever comes out of the sausage grinder. That is also what they agreed, in writing, to comply with since 2017. That means that contractors who are not 800-171 are technically in breach of contract.

One more rub in the ointment. Since 800-171 R2 came out, 800-53 revved from R4 to R5. There is an effort within NIST right now to create 800-171 R3 based on NIST SP 800-53 R5 medium. DoD has already said that they are working with NIST to incorporate some of the stuff that they “lost” when they went to CMMC 2.0. That means the goalposts are likely to move before the final rule is in place.

Credit: SCMagazine, Inside Cybersecurity, YouTube, Inside Cybersecurity, Inside Cybersecurity

CMMC 2.0 is Coming – In a Year or Two

CMMC just became more complicated or more simple.

The feds published an advance notice of proposed rulemaking (ANPR) for CMMC 2.0 and then just as quickly, unpublished. The Federal Register, the place were office notices are published only said that they asked for it to be unpublished.

So people saw the ANPR for about 18 hours and here is what they saw:

  • CMMC Levels 2 and 4 would be removed. Since DoD already said they don’t plan to use them, that is not a big deal.
  • CMMC Level 1 would be a self assessment. Whether this is important depends on the consequences of lying. After all, the current 800-171 is pretty much a self assessment.
  • The process maturity sections of CMMC would go away. This is a big loss because without process maturity you really haven’t integrated security into the culture.

There seems to be a big disconnect between what is CUI and what is not. I was involved in a long conversation today where the customer of a three letter agency was saying, in their contract, that the names and personal information of contractor employees was CUI.

For now all assessments and certifications are on hold.

It also means that all of the companies in the CMMC ecosystem, from trainers to certifiers, are wondering about their investments. Some invested a lot of money.

On the other hand, DFARS 252.204-7012 and its underlying requirements of NIST SP 800-171, which is about 80% of CMMC version 1, Level 3, is still there and does not appear to be going away.

Was the release of CMMC 2.0 a mistake? A trial balloon? Intentional sabotage? No one is saying.

Personally, I think it was a trial balloon, but who knows.

Reports are that it will take the feds at least a year from now to develop the regulations behind CMMC 2.0 and that assumes that it doesn’t change from what was leaked. Of course, that is just a rumor. For all we know it could drop next week.

What we do know is the pilot program is suspended and contract requirements are being removed.

It is our recommendation that customers who are not fully compliant with 800-171, which your contract says that are currently certifying that you are, need to continue working towards becoming fully compliant. The DoJ announced two weeks ago that they intend to prosecute folks who lie about that. How aggressive that is going to be is unknown. What is known that the feds currently make around $5 billion a year from these prosecutions. Great revenue stream. And, whistle blowers can get up to 30 percent of that.


Here is what other people are saying.

JDSupra says that the Pentagon is suspending the pilot and the DoD is evaluating how it could “provide incentives” to companies that voluntarily get certified in the interim. That is a different twist. Do it now and we pay for it, do it later and you pay for it? Interesting.

They also say the self certification is for “some circumstances”.

Finally, they say that the new level 2 would be split into prioritized programs which will require third party certification and other programs which will require annual attestations by corporate officers, similar, I am guessing, to Sarbanes Oxley. People who lie there could be prosecuted, jailed or debarred.

They are also saying that it is possible that there may be a waiver process for some particular controls.

A lot of unknowns.

The Pentagon has some very high level stuff at the Office Of Acquisition and Sustainment’s website, even though it is rumored that they will be losing management responsibilities of the program. It may be moving over the the DoD CIO, but that is currently a rumor. What is a fact is that A&S has not done a great job over the last year. They say that the Pentagon wants to simplify things for small businesses, which is good, while protecting the national security, which is hard.

In the meantime, the Chinese, Russians, North Koreans and others continue to rob us blind.

Is everything clear?


So, as I said, work on 800-171 compliance and stay tuned. Could be tomorrow, could be a year from now.


Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.


While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:


The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.


Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology