You’re CMMC certified… You’ve now entered the final phase of “fire and forget.”
Step carefully… You CAN invalidate your certification by making changes!
Check out these excerpts from the CMMC Program proposed rule:
It is possible for an organization to need a new assessment during the validity period. CMMC self-assessments and certifications are valid for a defined CMMC Assessment Scope.
What is the CMMC assessment scope? The CMMC glossary says it “includes all assets in the contractor’s environment that will be assessed.”
More goodness from the CMMC program rule:
If the CMMC Assessment Scope changes due to infrastructure modifications or expansion of the CMMC Assessment Scope due to new acquisition, a new assessment may be required.
It continues:
The original CMMC certification remains valid for the original CMMC Assessment Scope. The information system(s) in the new CMMC Assessment Scope may not be used to process, store, or transmit CUI for any contract until it is validated via a new CMMC assessment.
There isn’t a CMMC traffic cop checking on this stuff after you are certified, right? Well, yes, that is kind of true…
BUT… Contractors are required to annually affirm that they are still compliant and that their CMMC assessment scope has not changed (ie False Claims Act).
Additionally, the DFARS 7021 proposed rule that was published yesterday will require contractors to:
Notify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract;
I think this is an attempt for another check and balance. What the contracting officers will do with this information I do not know… But it could mean bad news for the contractor, especially if it is determined that a change invalidated their CMMC certification!
I did submit a comment to the government asking that they define the types of changes that are acceptable and won’t invalidate a CMMC certification. Here are a few scenarios I gave them:
- Contractor replaces a cloud security protection asset (ie vulnerability scanner) with another technology.
- Contractor upgrades CUI assets to Windows 11.
- Contractor implements the latest DISA STIGs on CUI assets.
What say you? Do you think contracting officers will be able to handle these reports? Who will they pass them on to?!? So many questions…
Need help on your CMMC journey? We offer CMMC training for defense contractors!
I’m also a VP of Cyber at a small defense contractor. I packaged what I learned over the years into comprehensive CMMC courses focused on the DIB!
If you are just starting your CMMC journey, don’t know what to do next, or just want to make sure you are headed down the right track, check them out!