CMMC 2.0 Allows for POA&Ms but There’s a Catch…
Under CMMC 2.0 you can now have a Plan of Actions and Milestones (POA&M) for any control you’re not meeting 100%. While this a huge improvement over the old rules, only some NIST 800-171 controls are allowed in your POA&M. Controls with the highest weight (5 points) are NOT allowed in your POA&M! I’ll put the list at the end of this article but please read on for other important details.
Additionally, any POA&M entries need to be addressed “within a clearly defined timeline”. Can I define 100 years? It’s clear, right? That’s probably not the intent. With luck the DoD will set some boundaries but this vagueness creates fresh loopholes. Read on to see how they might be closed…
Contract Awards Will Require Minimum Compliance Scores
Prior to CMMC 2.0, there was no minimum acceptable score under the DFARS 7020 Assessment Requirement. That will change with CMMC 2.0 because “DoD will establish a minimum score requirement to support certification with POA&Ms.” In other words, you won’t be able to meet compliance requirements below a certain score and won’t be eligible for contract awards as a result.
Scores range from -203 to 110 points. What the minimum score will be is yet to be determined but it won’t likely be less than 7 (only the highest weighted controls). My guess that it will not be less than 60 (all the 3 and 5 point controls plus all the 1 point CMMC 2.0 Level 1 / FAR Basic Safeguarding controls). I would also expect this to increase over time as more contractors score higher, thereby shrinking the timeline loophole.
Contracting Officers will have a clear-cut way to evaluate which firms are eligible to be awarded contracts. This fixes a critical deficiency in the current compliance enforcement regime, which didn’t define any minimum criteria for contract award. Leaving it up to the Contracting Officer or bid evaluators to determine what score was adequate created liability problems and risked award challenges. It’s also a major reason why there’s limited true compliance to date with only around 1/2 of all contractors actually meeting the standards when professionally assessed by DIBCAC.
Contractor Executives Need to Sign-off on Compliance Scores
With CMMC 2.0, executives are now on the hook for signing off on compliance through a self-attestation requirement. Previously, the scores simply needed to be completed by the Contractor and posted to SPRS, which could be done by anyone with SPRS access. Usually, this means an IT team does the score and a contracts person uploads it to SPRS. With this change, compliance will be elevated to the C-suite, the same organizational level as the risk for False Claims Act (FCA) penalties applies. One presumes executives will ask questions before signing off, something that was possible to overlook before.
To put some teeth into the requirement, the Department of Justice recently created a new Civil Cyber-fraud Initiative that focuses explicitly on non-compliance with cybersecurity requirements by Government contractors. With FCA penalties being applied to both companies and individuals, this raises the stakes for anyone thinking about knowingly misrepresenting their cybersecurity compliance status.
Did you know…
- Whistleblowers typically receive 15% to 30% of the recovered amount under the False Claims Act qui tam cases
- Penalties are 3x damages plus between $11,665 and $23,607 per claim
- Each invoice submitted under false terms is subject to a separate FCA claim (e.g. 12 monthly invoices could cost you $283,284 plus 3x damages)
- Whistleblowers are protected from reprisals
- Hotlines are set up for every civilian agency and the DoD
What About CMMC Waivers?
Lest you think a waiver is your ticket out, let me throw cold water on that idea. While waivers are allowed, they come with major restrictions:
- Applied to entire CMMC requirement, not individual cybersecurity practices
- Allowed on a very limited basis in select mission critical instances, upon senior DoD leadership approval
- DoD program office submits a justification package that includes specified timeline and associated risk mitigation plan
- Timelines imposed on a case-by-case basis to achieve CMMC compliance
Clearly, they intend this for a very few specific situations. If you truly can’t meet the requirements, including using “alternative measures”, say due to some specialized manufacturing system, then it’s worth giving it a go but otherwise, I’d say forget it.
Are You Struggling to Meet NIST 800-171, DFARS 7012, or CMMC Requirements?
Before we get to the list of disallowed controls, let me pitch our solution: Compliance Island provides an already CMMC 2.0 Level 2 compliant solution and is designed to process all types of CUI and FCI data, include export controlled, nuclear, and other sensitive categories. If you have DFARS Clause 7012 in your contracts, skip the POA&Ms, unpredictable costs, and worries. Contact us to see how we can help you get, and stay, compliant in just days at a low fixed cost.
NIST 800-171 Rev. 2 Controls That Cannot be on a POA&M
Under CMMC 2.0, the highest weighted (5 points) requirements cannot be on POA&M list. If you have a POA&M for any of these controls, prioritize getting them implemented before CMMC 2.0 rulemaking is completed:
|3.1.1*||Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).|
|3.1.2*||Limit system access to the types of transactions and functions that authorized users are permitted to execute.|
|3.1.12||Monitor and control remote access sessions.|
|3.1.13||Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.|
|3.1.16||Authorize wireless access prior to allowing such connections.|
|3.1.17||Protect wireless access using authentication and encryption.|
|3.1.18||Control connection of mobile devices.|
|3.2.1||Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.|
|3.2.2||Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.|
|3.3.1||Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.|
|3.3.5||Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.|
|3.4.1||Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.|
|3.4.2||Establish and enforce security configuration settings for information technology products employed in organizational systems.|
|3.4.5||Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.|
|3.4.6||Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.|
|3.4.7||Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.|
|3.4.8||Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.|
|3.5.1*||Identify system users, processes acting on behalf of users, and devices.|
|3.5.2*||Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.|
|3.5.10||Store and transmit only cryptographically- protected passwords.|
|3.6.1||Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.|
|3.6.2||Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.|
|3.7.2||Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.|
|3.7.5||Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.|
|3.8.3*||Sanitize or destroy system media containing CUI before disposal or release for reuse.|
|3.8.7||Control the use of removable media on system components.|
|3.9.2||Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.|
|3.10.1*||Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.|
|3.10.2||Protect and monitor the physical facility and support infrastructure for organizational systems.|
|3.11.2||Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.|
|3.12.1||Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.|
|3.12.3||Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.|
|3.12.4||Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.|
|3.13.1*||Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.|
|3.13.2||Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.|
|3.13.5*||Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.|
|3.13.6||Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).|
|3.13.15||Protect the authenticity of communications sessions.|
|3.14.1*||Identify, report, and correct system flaws in a timely manner.|
|3.14.2*||Provide protection from malicious code at designated locations within organizational systems.|
|3.14.3||Monitor system security alerts and advisories and take action in response.|
|3.14.4*||Update malicious code protection mechanisms when new releases are available.|
|3.14.6||Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.|
* FAR Basic Safeguarding Controls (applies to all Government contractors, not just those handling CUI)
The DoD describes this list as a “small subset of requirements that cannot be on a POA&M”. No argument from me that it’s a subset and, yes, it’s smaller rather than larger, but 45 out of 110 doesn’t seem “small”.
NB: This article was written on November 7, 2021. CMMC 2.0 is currently a proposed rule that is just beginning the rulemaking process. If you’re reading this after rulemaking has finished, please confirm the details before taking action.