CMMC Update: Details on Certification Infrastructure and COTS Products

The framework for the DOD’s Cybersecurity Maturity Model Certification (CMMC) process continues to move forward. Here’s an update on what’s currently happening with the CMMC that includes a few more details the DOD and the independent CMMC Accreditation Body have recently released about the nuts and bolts of the certification process.

As explored in prior posts (such as this one), the CMMC standards were put in place to protect Controlled Unclassified Information held by defense contractors to reduce loss of data and “risk to national security.” The standards will require a third-party audit of all defense contractors and will be proportional to the magnitude of the contract and what data the contractor is handling for the DOD.

CMMC Accreditation Body and C3PAOs

DOD’s partners have been hard at work on fleshing out the details of the certification process. The CMMC Accreditation Body (or CMMC-AB) is a non-profit, independent organization that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the assessors themselves. This means the CMMC-AB is not part of the government, although it operates under an agreement with the DOD. The C3PAOs are the organizations that will help “train the trainers”–meaning they will provide skills to and assist the assessors, but the CMMC-AB will actually license the assessors. A C3PAO must be certified by the CMMC AB and then the C3PAO will train and monitor the CMMC assessors who provide the certifications.

The CMMC AB is taking steps to carry out its goals. The training program for CMMC assessors has not started yet and there is no timeline on the AB’s website. As a consequence, no assessors have been licensed yet.

However, as part of its mission, the AB is conducting market research to develop “a scalable and extensive partner-centric training and educational model to effectively equip professionals, students, and other stakeholders within the CMMC ecosystem.” The organization will provide training content and providers for certification. The AB is also doing market research for an entity to develop a CMMC certification exam.

Sellers of COTS products don’t require CMMC certification

CMMC certification will not be required for a company that only provides commercial off the shelf products. The CMMC FAQs have been updated to confirm that companies, including subcontractors, “that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.”

Under NIST SP 800-161, COTS is defined as “Software and hardware that already exists and is available from commercial sources.” Note that the exception applies only to companies that produce COTS products, which is defined as the “[r]esult of a process” and a “system as a “product” is what is delivered by systems engineering.” So, a company that also provides services probably wouldn’t qualify for this exception (because services aren’t products) and neither would a company that modifies the COTS products (because modification means it’s no longer off the shelf).

However, even companies that do not possess Controlled Unclassified Information still must meet the Level 1 Certification if they possess Federal Contract Information. Federal Contract Information is defined under FAR 52.204-21 as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

In contrast, Controlled Unclassified Information is basically Federal Contract Information or government-created information that is protected from release under a law, regulation, or Government-wide policy. Unfortunately, the CMMC FAQs do not provide much detail on the difference between Controlled Unclassified Information and Federal Contract Information, so the safest practice would be to assume that all federal contractors, other than those merely supplying COTS products, must meet at least CMMC Level 1.

As we’ve noted, the CMMC is a big change to how many federal contractors will operate. Stay tuned to the blog as we continue to monitor the rollout of the CMMC standards.

Questions about this post? Email us or give us a call at 785-200-8919.

Looking for the latest government contracting legal news? Sign up here for our free monthly newsletter, and follow us on LinkedIn, Twitter and Facebook.