32 CFR 170: A Small Business Manufacturer Reaction to the CMMC Final Rule

I’ve read a lot of great analysis from peers and many of their observations are some of my takeaways, too, but, assuming this isn’t your first time here, it should be no surprise that I have a small business slant.?

If you haven’t read the rule yourself , I encourage you to do so and go through the adjudicated comments.?Some of the answers are pretty entertaining.?(Some dude chose to submit marketing material as his comment. Not sure if that's impressive or dumb.)

The Good?

Overall, the document is well-written compared to the Proposed Rule.? It’s a much easier read and easy to understand.?

Even more importantly, there are a lot of points of grief that were causing industry heartburn.?

There was a collective sigh of relief heard around the DIB on Friday morning related to:

• Clarification made between a Cloud Service Provider (CSP), Managed Service Provider (MSP), and External Service Provider (ESP).?There were so many comments about this and I am really happy to see that DoD took this to heart.? Let no one say submitting your comments is pointless – especially when you think the point has already been made!
• Security Protection Data (SPD) is now defined as data stored or processed by Security Protection Assets (SPA), which is used to protect an Organization Seeking Certification (OSC)’s environment.?SPAs are only in scope relevant to the capabilities provided.?This makes sense.
• Virtual Desktop Infrastructure (VDI) language was added to eliminate the endpoint from scope if it’s not processing, storing, or transmitting CUI. Again - this makes sense.
• The affirming official not having to swear to compliance into the future. This is a big deal – just ask Vincent Scott .

Three cheers for DoD listening to the gazillion comments and clarifying some big pieces of the puzzle!?

The Mediocre?

MSPs no longer need a CMMC Certification. On its face, this is good for overall supply chain.?Can you imagine if that was a requirement??What an [expensive] mess. I don’t believe this is ?as “bad for national security” as I have seen some peers posture, but I do assume that this keeps us in the Wild West of bad eggs continuing to push $2000 CMMC-compliance packages, telling businesses to simply throw a 110 in SPRS and call it a day .

That said, I believe the cream will rise to the top and the most competent MSPs will still seek CMMC Certification.?This will benefit their clients and mitigate overall risk in the overall DIB.

As for FedRAMP: The rule states that if an OSC uses a CSP to process, store, or transmit CUI, FedRAMP Moderate or equivalency requirements apply.?So, maybe that’s enough guidance for many organizations to move forward in scoping certain applications in (or out) of their environment.?For others, you may be looking for another memo from DoD to clear up the ambiguity.?(although, perhaps we should be careful what we wish for)?

There is also some verbiage in the Final Rule indicating that DIBCAC Assessors are eligible to become CMMC Assessors.?Is this good or bad? Good to help with potential assessor bottlenecks, I suppose.?Will there be consistency in experience and training across the assessor pool? I'm not sure.?

The Ugly

I’ve heard some contractors express concern that 32 CFR 170 Level 2 assessment is at DoD’s discretion. I think this begs the question: Why not just push a DoD contracting officer to appropriately mark and identify CUI? Then there’s a much clearer line to draw between two points. I know - it's much easier said than done.?

Oh, and if you missed it - DoD “may include CMMC requirements on contracts awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming effective.” If you’re a Prime – watch yo-self. And your contracts.

Another piece of the rule that caused a lot of furrowed brows: If you are a CMMC Trainer, you cannot also consult. It sounds like some additional clarification is needed on this piece, but if it stands, this may further constrain the most knowledgeable individuals from making the biggest impacts in the “CMMC ecosystem.”?

Also, an additional assessor is required on the C3PAO assessment team. This very likely means assessment costs will go up from assessments quoted pre-final rule. “Any individual fulfilling the quality assurance function must be a CCA and cannot be a member of an Assessment Team for which they are performing a quality assurance role.” So, now, for any assessment, an OSC is looking at two CCAs and a [likely part time] QA person.?Three people.?That's not cheap.

For comparison: I have a shop of <50 employees. My annual AS9100 assessment (you know, the quality management standard that surveillances processes to ensure I’m making quality product to go into aerospace products), I have one assessor spend two and a half days on-site.

Speaking of costs…?

Now, if you’ve read this far, you may be saying to yourself, “Self, I’m amazed Allison hasn’t griped about the overall cost of doing all of this.? I mean, I know she’s shared resource constraints before, but I guess she’s come to grips with the fact that there’s no turning back now?”?

Well, hey, thanks for asking.?

No, I still haven’t fully accepted the fact (and yes, I’m still salty) that the DoD truly doesn’t understand the scope of their requirements and what they are asking for, particularly since they have yet to appropriately mark and identify CUI—the core piece on which all of this hinges.

All of this is incredibly burdensome on small business. But does it matter that I think this, though?

cue the peanut gallery?

YoU ShOuLd HaVe BeEn DoInG ThIS foR YeArS?

tHiS Is ThE CoSt oF DoiNG BuSinEsS wItH ThE GoVeRnMeNt?

I never said small business should not be held accountable for data they have relevant to national security. It’s possible for security and compliance to be expensive while at the same time, necessary in some shape or form.?

This observation was shared with me and I’m sharing here (with permission), HT Jonathan Weadon :?

I’m a Johnny come lately when it comes to the 800-171 space, so I’ve always stood on that line of “Well, the DoD says if you’re already compliant per 70212, there’s not a lot of cost increase. Just the assessments.”?

But on page 208 there’s a complaint about costs where the response says, “81 FR 72990, October 21, 2016 implemented the DoD’s requirement that “contractors shall implement NIST SP 800-171 as soon as practical, but not later than December 31, 2017.” ?Public comments related to costs for implementation were published with that final rule, along with DoD’s responses.”?

So I went back to 81 FR 72990, and those comments complained about cost and choking out SMB, and they said, “The cost of compliance with the requirements of this rule is unknown as the cost is determined based on the make-up of the information system and the current state of security already in place. If a contractor is already in compliance with the 2013 version of the clause 252.204-7012, then the changes necessary to comply with the new rule are not as significant.”?

So I went back to the 78 FR 69273, and those comments complained about cost and they basically reassured people “only 6,555 of you will need this, it’s only for unclassified controlled technical information, and we think it’ll cost you about 0.5% of your total revenues.”

If I was a member of the DiB I’d be pretty annoyed.?

Oh, we are, Jonathan. Oh, we are.

?

TLDR;

• DoD reads (and even addresses!) comments rule! Hurray!!
• If you’re a small business in this space, keep on keeping on .?Whether you’re behind the eight ball or have been keeping up and are ready for an assessment, work to be better than you were yesterday. I know, I know, it’s hard.? It’s okay to grieve, but you’ve got to get out of bed and put on some pants today.
• If you're a subcontractor, communicate with your Prime(s). If you’re on autopilot and not reading purchase order flow-down, start today.?If there’s something in there you don’t agree with – say something.? Are you receiving CUI-related flow-down, but not receiving marked CUI?? Speak up.?You can be tactful without burning bridges.?If nothing else, it shows your customer you’re paying attention.
• Security and compliance aren’t cheap. There are likely ways to make the biggest impacts in your environment without breaking the bank and without a complete upheaval of business and manufacturing process – but it often takes a subject matter expert to help you identify those opportunities.?What’s the alternative??Leaving the DIB??If you’re heavily weighted in the DIB now, good luck being competitive in the commercial production space.