With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more!
Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0, three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allowance for “Plan of Action & Milestone” reports.
Fewer Security Tiers
The initial CMMC draft established five tiers of cybersecurity requirements for contractors. The tier with which a contractor needs to comply is based on the types of data they work with to execute federal contracts. With CMMC 2.0 there are now only three security tiers:
- CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes.
- Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
- Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year.
- Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.
Removing Some Third-Party Assessment Requirements
Under CMMC 2.0, Level 1 contractors will no longer be required to obtain a third-party certification. Instead, they will follow a self-assessment protocol which can significantly reduce the cost of compliance for many contractors. These self-assessments will require an annual affirmation by company leadership. The same changes apply to Level 2 assessment requirements; third-party assessments will only be required for companies supporting the highest priority programs.
Even with this change, to ensure compliance and avoid any significant penalties, we recommend you hire a third-party assessor to complete your CMMC certification.
“Plan of Action and Milestones” (POA&Ms) Reports
The DoD made the decision to allow POA&Ms reports in specific cases. These reports allow contractors to pass an assessment even if they do not currently meet every security control required- provided their report properly outlines a plan of action and deadlines to meet future controls.
“I have three words: Totally clean assessment,” said Emily. “We would all love to have them but in my eight years of working in this industry, I’ve never once seen a zero-finding assessment. With the release of CMMC 2.0, there is now the ability for an exception; where a finding is documented and tracked within the Plan of Action and Milestones (POA&M). This change makes CMMC certification much more achievable and realistic for the supply chain industry.”
Agreeing with Emily, Tony adds: “In the past, if we ever saw a system or report with zero findings, it would be a huge red flag and prompt us to dig much deeper. A completely clean company would raise suspicions.” With CMMC 2.0, the POA&Ms will be allowing six months from the time the assessment is completed by the C3PAO to remediate any issues. The DoD has yet to determine if any of the practices will be considered “showstoppers” if non-compliant.
FedRAMP strengthened the Federal government’s ‘cloud first’ initiative by enabling federal agencies to contract with approved cloud providers who were best equipped to protect vital government information. FedRAMP has officially posted their new authorization boundary guidance under “draft”, but it is essentially in effect for all the CSPs, C3PAO and stakeholders.
“The biggest impact is that nonfederal authorized external services that store, process, transmit federal data and metadata aren’t going to be acceptable for FedRAMP operating status with a user-ready assessment report,” said Tony.
With FedRAMP High, organizations were never able to connect to an external service that didn’t also earn FedRAMP High ATO. “In the past, as long as the organization had other authorizations, they could build a use case for why they are using an unauthorized external service,” said Emily. “This will no longer be allowed as organizations can now only connect to FedRAMP authorized services.”
FedRAMP recently released a document that clearly defines metadata as all-around data that can be ‘traced or linked back to’. “FedRAMP will want to see the peripheral attachments, systems, or equipment that isn’t necessary for the operation of that system that you’re selling to the government, but can play a significant role if it’s used,” said Tony. “You should contact your 3PAO, like A-LIGN, or cloud security experts, like Anitian, for clarification and guidance for your organization’s specific situation.”
As cyberattack attempts carried out against state and local governments continue to become more prevalent, government agencies are in dire need of a way to modernize and systematize their cybersecurity practices — especially regarding cloud technologies. That’s where the State Risk and Authorization Management Program (StateRAMP) comes in. StateRAMP is essentially a nonprofit FedRAMP at the local level, based on the NIST framework.
“I think StateRAMP is going to find their success with CSP’s struggling to locate a sponsoring agency,” said Emily. “Reciprocity will occur but for those struggling to find the federal sponsorship and shy away from the FedRAMP JAB business requirements, StateRAMP will be a great solution.”
Tony added: “StateRAMP doesn’t have to occur at the formal state CIO level on down. StateRAMP is for any city government, county government, or state agency that wants to participate in this program. There are some states that are accepting this certification at a holistic level, like Arizona and Texas. For those companies that have an existing FedRAMP authorization, there is a reciprocity down to the StateRAMP level- they would review your FedRAMP package and issue an equivalent status.”
Compliance certifications are continuously evolving and rightfully so. “It’s necessary for compliance frameworks to grow in order to keep up with federal’s changing threat landscape,” said Tony. “Your organization needs partners and technology that understand the requirements and can provide insight into CMMC, FedRAMP and StateRAMP throughout all phases of the assessment.”
“Oftentimes organization’s feel that security certifications are a large lift, but the right partner and technology solution can greatly help your organization when preparing and going through the assessment process,” said Emily. Together, A-LIGN and Anitian can help organizations achieve CMMC 2.0, FedRAMP Ready and/or a FedRAMP Authorized, and StateRAMP Authorized status from application security to certification.
If you have any questions or if you would like to learn more about undergoing a CMMC, FedRAMP, or StateRAMP assessment, please reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446. To discover how Anitian offers the fastest path to security and compliance for cloud applications, please complete a form or call 1-888-264-8426.