Cyber Snap Tip#21 with Viet: "CMMC Acceptance of DIBCAC Assessments: Key Points from the Final Rule"

As organizations work through the complexities of CMMC (Cybersecurity Maturity Model Certification), many are seeking clarity on how their previous DCMA DIBCAC assessments align with the new CMMC requirements. Here's a breakdown of the key details from the final rule regarding the acceptance of other DIBCAC assessments:

1. DCMA DIBCAC High Assessment and CMMC Level 2: The DoD recognizes DCMA DIBCAC High Assessments as meeting some of the CMMC Level 2 Certification requirements. However, this only applies if the assessment score is perfect (110), with no open POA&Ms (Plans of Action and Milestones). Any open POA&Ms must be closed before the standards can be accepted for CMMC certification.
2. No Acceptance for CMMC Level 3: DCMA DIBCAC High Assessments cannot be used for CMMC Level 3 certification. CMMC Level 3 requires compliance with NIST SP 800-172, a more stringent set of requirements than those assessed by the DIBCAC High, which is based on NIST SP 800-171.
3. Importance of Joint Surveillance: A Joint Surveillance assessment, which is a collaboration between DCMA and DIBCAC, is necessary for achieving CMMC Level 2 certification. To be eligible, the assessment must be flawless—no open POA&Ms—and demonstrate full compliance with NIST SP 800-171 R2.
4. Eligibility for Standards Acceptance: Only DIBCAC High Assessments completed prior to the effective date of the CMMC rule are eligible for standards acceptance. These assessments can be used for CMMC Level 2 Certification, but they will be valid for only 3 years from the date of the original assessment.
5. Transitioning to CMMC Level 3: CMMC Level 3 assessments must be conducted by DoD entities due to the sensitive nature of the programs involved. This avoids potential conflicts of interest associated with C3PAOs assessing other C3PAOs.
6. DIBCAC vs. CMMC: The CMMC model incorporates requirements from NIST SP 800-171 R2 and NIST SP 800-172 (for Level 3), while DIBCAC operates under different guidelines and can assess additional requirements from DFARS 252.204-7012.
7. Security Technical Implementation Guides (STIGs): The DoD STIGs provide secure implementation guidance for specific products. While organizations (OSAs) can use these STIGs for CMMC compliance, they are not required to, as OSAs are free to choose the best implementation guidance that fits their environment.

Highlights:

• CMMC Level 2: DCMA DIBCAC High Assessments are accepted if the score is perfect and POA&Ms are closed.
• CMMC Level 3: Requires assessments by DoD entities, not DIBCAC or C3PAOs.
• POA&Ms: Any open POA&Ms must be resolved before standards acceptance for CMMC certification.
• Joint Surveillance: A flawless Joint Surveillance assessment is crucial for CMMC Level 2 certification.

As organizations navigate the requirements for CMMC certification, understanding the relationship between DCMA DIBCAC assessments and CMMC standards is critical. For those aiming for CMMC Level 2, ensuring a clean, compliant assessment is the first step toward meeting DoD cybersecurity standards.

Source: https://dodcio.defense.gov/CMMC/

#CMMC #CyberSecurity #Compliance #DIBCAC #NIST #DoD #CybersecurityCompliance