What Qualifies As a "Significant Change" in CMMC?

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Boxing up by 6. Good job. What is it doing? Looks good. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and this is Bobby Guerra and we are your hosts for Climbing Mount CMMC.

[00:00:29] We are a part of an MSP called Axiom that is CMMC Level 2 certified and trying to figure out all of this CMMC stuff. Is that the best way to explain it? Yeah, that's a technical term. It's a short CMMC stuff. Go ahead and look at it in 32 CFR. No, but we are going to be talking about a very interesting phrase that pertains to 32 CFR as well as just the CMMC ecosystem as a whole. You're going to see it in a few different places and we're going to talk about it today,

[00:00:58] which is significant changes. Okay, for those of you guys who are not aware, for CMMC Level 2 requirements, you have to go through, well, many of them require a third-party assessment organization to come in and assess your company's information system to see if it is meeting the NIST 800-171 Rev 2 controls and assessment objectives.

[00:01:23] So it would be very unfortunate if something had occurred that would make you have to do it again, even sooner than you have to, which you have to do this every three years. Now we're going to talk about this significant change that was brought up in 32 CFR Final Rule and kind of dropped a bomb on people of like, hold on a second, are you telling me that sometime during this, you know, three-year period,

[00:01:49] if maybe I make some type of change that I'm going to have to get reassessed by a C3 PAO all over again before the three years even happens? And the answer is yes. So, but guess what? They didn't tell you what those significant changes were. They made it a bit vague here. And we're going to talk about what they gave us in 32 CFR. And we're going to talk about what they gave us most recently in a DOW FAQ

[00:02:17] that talks more specifically about significant changes. Then lastly, we're going to talk about how Bobby spiraled about this discussion of what it all means based upon what they said in this FAQ and what they said in 32 CFR. Right. Because I think it's, you know, the cost of the assessment is not cheap. And to just operationally, yeah, to operationally make changes as you go to work and operate

[00:02:45] that all of a sudden now you have to go through a new assessment. And it's easy to fall into that. You know, some examples of what most people are referring to as significant changes could be a merger and acquisition, right? So you are acquiring another company, right? It does list this specifically. I will say that one of the significant changes that it calls out directly is a merger or acquisition. Maybe the change of the way your organization works and you want to include a physical location that was not in scope during your initial assessment.

[00:03:14] So say, for example, you had five locations and now you decide you want to manufacture and do some other components. Another part of a different location in another part of the country. And it wasn't the cage code was not originally listed in your CMMC assessment. If during a DIPCAC assessment, they find that you are conducting your CMMC activities in systems that are not authorized in your CMMC UID. In other words, when you get assessed, they attach the cage codes to those,

[00:03:42] which binds these areas that are authorized. You're basically defining, like Kaylee said, your information system. That's the information system now that is authorized to contain that CUI. And if it's another location that's not on those cage codes or lists, you are violating your DFARS clauses. And that's a real problem, or could be, that you don't want to follow it to.

[00:04:06] I, you know, I feel like if everybody had a chance to listen to Corinne's discussion, Corinne Wise's discussion that she did, even we listened to it at KooiCon of mergers and acquisitions. And also she talks with a guy named Jacob. I can't remember his last name, but maybe I can link it below if I find it. He's hidden under a rock. Couldn't find him. So they were talking about a lot of people.

[00:04:30] A lot of people think that a CMMC assessment is done for a company and not the actual system, you know, the information system. And it applies. That's where you're talking about. It's important to know what those cage codes are that are represented in that information system and what's accessing it, what's a part of the environment. And then if there are significant changes, which we'll talk more about that, to that information system, not necessarily the company as a whole,

[00:04:58] but that information system, that could be potentially a significant change that would require an assessment. Switching MSPs would be typically most people find as a significant change. Other people that would tell you if during your assessment you didn't have printing or physical media included and now you do, significant change. They're going to come at you and say to do that. That's a big one. Yeah. Yeah.

[00:05:24] And so here's the problem is if you ask three different C3PO's, you might get three different answers. So how do you address that? Right. Yeah, absolutely. So let's start by talking about 32 CFR final rule, which will be linked below. If you want to go to that document directly. But we're going to talk about specifically the phrase significant architectural and boundary changes. So here in this part of 32 CFR, it says,

[00:05:53] CMMC level two self-assessments, level two certification assessments, and level three certification assessments are valid for defined CMMC assessment scopes. And they're outlined in, it references the part that it's outlined in for the CMMC scoping process. Then it says, A new CMMC assessment may be required if significant architectural or boundary changes are made to the previous assessment scope. Here's examples.

[00:06:21] Examples include, but are not limited to, expansions of networks or mergers and acquisitions. Now, I think expansions of networks, I think what you said about printing is a great example of an expansion of a network. Operational changes within an assessment scope, such as adding or subtracting resources within the existing assessment boundary that follow the existing SSP, I think that's an important part, that follow the existing SSP,

[00:06:49] do not require a new assessment, but rather are covered by annual affirmations to the continuing compliance requirements. So, it talks there about what annual affirmations are for. This brings up the change control process. There's a whole process that's baked into CMMC requirements that allows for change. Okay? So, we're not saying no change is allowed. Herey, herey. You know, like you cannot change your system at all,

[00:07:16] but rather there's boundaries, right, for these types of changes. And so, I do think that emphasizing the part that I said previously, which is following the existing SSP, also brings up the topic that you said, Bobby, of MSPs. If your MSPs are written into your SSP in certain ways, you're also, their CRM is connected, I would say that's a pretty significant change because it adjusts and adapts a lot of your SSP, right?

[00:07:46] Yep. Yep. What other examples do you want to give for this before we move on to the FAQ? I think changing boundaries inside your environment could put you in danger for those types of situations. For example, say that you were doing backups in one facility and you completely changed it to another. Could that fall on that boundary? I would think probably not if you're keeping the same backup solution or you're doing those types of things. This is where, and I know we're going to get into this more, if you start to get into those gray areas,

[00:08:15] keeping that relationship with your C-3PO so you can talk with them about what they would perceive as that significant change is important. Keep in mind, the C-3PO gets to make money off of you going through a reassessment. So you would want to make sure that you're picking a C-3PO that you feel like they're not in it to win it for them, that they would have a fair... That they'll speak honestly. Yeah, a fair and honest conversation with you about it. Because keep in mind too, if they do handle that,

[00:08:43] then they're securing the reassessment with you again in three years. So they could be hurting their future plans for assessments if they don't really conduct themselves appropriately in that manner. So that's something to think about. But it's also just puts a little bit more of an emphasis on keeping that relationship with the C-3PO because you might have to call. Now, they can't consult you, but they can tell you whether the changes that you're doing would warrant a reassessment potentially. And they might have to ask additional questions about it.

[00:09:13] If they couldn't say that, I don't know how this would happen. Truly. If they couldn't give their opinion on this, it would be very odd. So let's switch and talk about the most recent update of this significant change. Okay. So for those of you guys who are not aware, there was a new CMMC FAQ that was posted about a week ago. And it addressed some comments and questions regarding CMMC requirements.

[00:09:41] One of those was, what qualifies as significant change, as a significant change that would require an OSA to undergo a new evaluation under the CMMC program? So this is an excellent question. Now, it does talk about three-year assessment cycle, annual affirmations. But I do think that one of the big important parts that it leads off with in this FAQ is, the decision of whether a change is significant enough

[00:10:09] to require a reassessment is the responsibility of the affirming official who bears the legal and contractual risk of continued compliance and may benefit from consultation with authorized independent consultants. Do you want to describe to somebody who's listening that might not know what an affirming official is? Yeah, the affirming official is the person that has the chutzpah inside the organization to sign on the dotted line around legal documents.

[00:10:37] So that would be like your C-suite type people that are authorized to make those legal decisions that could impact them and bring them into either safer or unsafe waters. For example, deciding this doesn't constitute a significant change. So I'm not even going to consult the C-3PO. We're just going to do it. And then you wing it, come the three-year shows up and the C-3PO walks in the door and they look at the change and go, what the crap? And that could be a real problem.

[00:11:06] They have to live with the consequences of that decision is what they're basically saying. And the consequence could be up to the point that they could fail their upcoming assessment. So it's pay me now or pay me later if you don't really pay attention. So that's where paying close attention to those types of consequences is very important. So if you're the affirming official for your organization, you have almost a fiduciary responsibility

[00:11:34] to keep track of those types of changes that may fall into that. So having a relationship with either an MSP that understands what significant changes look like or having a consultant on hand, which is sort of what it's talking about there, might be a good idea. But I also highly recommend talking with your C-3PO because if that's the people that are going to reassess you, if they look at that and go, oh, that's not a significant change. I mean, how could they come back and fail you later unless you didn't share all the details that they discover during the assessment?

[00:12:04] It would be pretty tough in my opinion. So, I mean, that's kind of what I think about. But it's really interesting is if you read further, it has some more, it puts some more teeth into this statement, which I found really, really interesting. Well, it proceeds to say after that, security requirements that address changes. So it talks about CUI flow through the environment,

[00:12:31] AC 3.1.3, actively manage changes, CM 3.4.3, CM 3.4.4. It even talks about conducting risk assessments, RA 3.11.1, plan of actions to reduce or eliminate deficiencies and vulnerabilities, 3.12.2, monitor security controls continuously, CA policy 3.12.3,

[00:12:58] and update, you know, not to be more vague, but update the system security plan, CA 3.12.4. But underneath this, I think something that's really cool that it says that brings up, I think what you were talking about previously is a reassessment is required if any security requirement or assessment objective was assessed as NA, so not applicable, or assessed as met by virtue of NA,

[00:13:25] but after a change is now applicable since that security requirement or assessment objective has never been assessed. Mm-hmm. So, I think... So, we don't have wireless in our network. Now you do. Now you do? Yeah. That's a change. True or false? CMMC has a delta assessment. There is no delta assessment. You have to go through all of it. Wouldn't that be cool if it did? That'd be so cool if they did, but they don't. So, that's why you got to make sure you pay really close attention and start looking over the horizon when you do your scoping

[00:13:55] and design of your system because if a year or two later, you're like, you know what? I want to add wireless and I want to bring the physical facility into scope because now we're printing and we want to do this. Well, say hello to a new assessment. And in that FAQ, it more clearly defines, like, and you need to follow your change management process. Mm-hmm. So, they want to see that you go through the change management process, you accept the risks or go through those things, and then you implement the change and then you go through the reassessment. They want to see

[00:14:24] all of that happen as kind of, like, part of your system security plan. I mean, that's well within the guise of the system that you should have already established that you should be capable, hopefully, of following because that's what they assessed. So, you should have the mechanisms in place to implement those changes and then follow through with the reassessment. And that's what they're looking for and they're providing additional clarity so that you can see that in certain scenarios because you get together with a group of people and they don't want to do something I'm sure they can figure out

[00:14:54] a way to talk themselves into how they don't have to do that even though that's not the reality. So, I think they wisely suggest in there seek outside counsel just to get outside of your echo chamber because you could be leading yourself down a path of destruction only to be found out much later and then you have to go through contractual remediations, right? So, if the C-3PO comes in and finds it and then they fail you because you didn't go through those and haven't addressed them correctly

[00:15:24] then you could end up going through contractual remediations where you could lose your contracts or you're not able to get reassessed and addressed in the time frame that you have and you're not able to renew your C-3PO level 3 or level 2 assessment, right? So, let's say you wait till two or three months before your affirmation deadline runs out on your three-year certificate that you have your certification that you passed and then you realize you made some significant changes

[00:15:53] and you don't have enough time to make the adjustments to then get it reassessed and revalidated in the right way you could lose your window and then you'll overrun the runway and not be able to get your and you know you could have a gap in your official level 2 and if you don't report that to the contracts that you have DFAR says you have to like if you're not able if you're not in compliance you have to report that to them and if you don't do that then you're lying

[00:16:22] so that's another problem that could come back to haunt you as well Right In the last section of this FAQ like the last part of this FAQ section talking about significant changes it does say and I think this is talking about what you were saying of keeping track using the change control process and adhering to that when these changes are occurring still it is important to consider that the next three year assessment will evaluate

[00:16:51] whether each of these changes have been properly managed according to CMMC security requirements and performed as stated in the SSP failure to significantly demonstrate adherence to the previous SSP may result in future failed assessments now future failed assessments what a term that is I feel like that's also what made you start spiraling that last paragraph there so do you want to talk about

[00:17:20] what like came into your brain when you heard that and some of the concerns regarding that Well at first it sounds very logical if you're not doing the change management correctly when they come in to redo it they're going to fail you on it Yeah Okay totally get that So what does write look like? Just think about that for a second Does write look like a time machine going back in time and then making those changes correctly? I don't have a time machine do you? So you can't go back and make those changes correctly

[00:17:51] What you could do is go back through and identify how you didn't follow your change management process correctly when the assessor determines that you haven't followed it and throw yourself on the mercy of the court to talk about how you're going to try to do better Right that you're going to try to follow that but the sin's already been committed perhaps months if not years ago you can't go back and just erase it it's already

[00:18:20] been done Yeah you can't negate it anymore It's shown in the past and it is what it is And let's make some assumptions here let's assume that you had a good process that allowed you to pass originally you just didn't follow it you just didn't follow it correctly and but it's still there the process still exists you just didn't follow it so now what do you do as assessor you fail them because they didn't follow it but when they come back for reassessment it's still there the fact that they didn't do it

[00:18:50] didn't change how are they going to prove to you now that they are doing it right looking at do they have to make a change again and remediate right let's let's say that that they follow you know we're just we're just throwing

[00:19:23] declare it a significant change and you come back to see you like whoa dude you changed your MSP like you changed even how you did your SSP and the relationship your matrix even changed with this MSP that is a significant change but I do see that you have followed change management correctly except for that like what do you do do you just fail them yeah like their environment is up

[00:19:53] at that moment and you are going to fail them for the past mistake see and this is why the sentence results in a future failed assessment is scary you know yeah it's like because if you think about it okay so you tell them they did it wrong so is this just punitive you have to fail them at least once but then once they come back you it's okay we already failed you once you paid your penalty your failure tax now we'll let you

[00:20:23] go through because you're doing the change management correctly it's just that one that you did which was a significant change you didn't do right so right I don't know I don't have a good answer for that I don't know what the answer is is it just basically they want to force you to you basically just have to do no matter what another assessment for that specific significant change no matter if you wait three years or not even if you waited to the three years

[00:20:53] they would fail you because you didn't do it for that so you still have to do another one anyway it's like you don't get away you have no matter what they want you to do an extra assessment for that significant change and you've introduced significant risk and none of that has been appropriately mitigated or worked through and the contracts haven't been informed about those so that

[00:21:22] system that was authorized for CUI has now become in question because of these massive changes and they want to see how long that has happened and that brings up another question how long do you have to wait before you have to get reassessed let's say that you have identified it is a significant change a year two years there's no date on that there's no expiration on the time frame if you wait two years and you come back still before

[00:21:52] your level your level two reassessment are you okay could you go a few days before you have to renew every three years and be fine and not get a fail or and these are things that I our organization to pick as a C-3PO you should set the bar of where

[00:22:22] you feel like it should be and be careful for what you ask for if you keep putting the firming official can determine how they would want to do it and make their choice

[00:22:52] because technically they could shop other C-3PO and find one that might find that that's not a significant change think about that right so one C-3PO that says it's not if you just shop around you might find one that says no I don't see it that way and you're like cool you're going to do my assessment in three years you know and that kind of stuff is happening right now people are doing that and that's you

[00:23:33] those types of things like if you were a C-suite person Kaylee and you went to the C-3PO you did your due diligence and they said okay I'm going to determine that this is a significant change as the CEO or managing partner of a company then what do you do next what would you think how would you handle that if the C-3PO told me

[00:24:03] then what would you do let's say that your second opinion says yeah it's going to be a significant change I probably start to create an operational plan of action or some sort of plan it out start to think how you're going to do it now you're going to start communicating with the C-3PO to think about how you're going to do it I would highly recommend you stay within a one year time frame because that's usually the time frame at a minimum that the bar that if you look at in Rev 2 when they've

[00:24:33] said define at a certain interval the maximum time frame that has been a consensus is a year so well that's why you affirm every year right if you think about it logically if you don't do it yeah if you don't do it within a year are you going to affirm the 110 compliance without saying so here's that the decision of your affirming and your SPRS score

[00:25:04] inside of the website and you're checking all the boxes to affirm is that bad that you did all that without updating sharing that you had a significant change during that time is that a yeah and I think is there a box for that for NSPRS right now no so what you can do is the operational plan of actions like you were talking about you said in

[00:25:44] this is you know biblically like this is how it has to be but I think you can walk a line where you affirm that you've passed because you're going through that change and you're following your SSP you're following your processes and 32 CFR provides guidance that that's possible for you to do it's just you've got to have that process defined and you're working through it it wasn't there's no

[00:26:14] that process of doing it but so let's say that you started your significant change in November right and you actually did your assessment and passed your third party in January so and your significant change is going to take six to eight months right to go through you're going to hit your affirmation date through that mid transition so you'd have to affirm as you're going through it so that's another thing

[00:27:09] you out there is you know for the people that might not be fully involved in the CMMC ecosystem and who read all the documents is there a document that speaks directly to a C3 PAO that stumbles upon an organization that did not share the significant change or the update with maybe their contracting officer or their

[00:27:39] PO and do they do they like report them in some way or do they just like snitches get stitches sort of thing and they just like moonwalk out of it and say I didn't see it you know there's not I don't I haven't seen a assessment guide that specifically speaks to

[00:28:09] would the C-3PO have a requirement to report you if you were supposed to and you ran for a period of time for a contract that required it yeah so if you think about it would you go to a CPA if they're going to report you to the IRS if you did something wrong right right I mean that's real life do you walk into jail after you

[00:28:39] killed somebody I mean the C-3PO is an organization a business who has their own responsibility and requirements and they're not required by law to report it now they're all false claims acts that someone inside their organization if they did see it they decided I could report it and let's see what happens but that would be to the individual not to the organization so you that's some very muddy waters because

[00:29:09] no one is going to go in and do that you know that's part of the reason why you have you know your defendant to defend you right to say okay we're going to give you that best if when the C-3PO is going to come in they're going to assess you if they're going to literally report you to DOJ if they have any problems even when they assess you I don't that's pretty scary to do that so and some people you know they bring up this conversation they think it's so black and white and it's

[00:29:39] so easy like oh you know that person's not responsible for it who cares but if you're the C-3PO or even an example of you're the MSP that left a CMMC level two certified client you know or was removed from that environment do you have to do something to cover your butt so nothing happens to you people would say if I said that they'd be like your system is not the one getting assessed it's the client

[00:30:08] it's suing you right or trying to do something or attempting something right and so there's still like muddy waters and in my opinion I think lawyers are starting to get all over the CMMC thing because it's becoming very interesting so just like a heads up for you as an organization to really think through these things and what you're going to do and track as an organization because of how sketchy and risky these

[00:30:38] situations could potentially be yeah so I think to kind of boil down I think what you're saying is if an MSP was if they were transitioning away from a client they would probably want to protect themselves from blowback if they don't handle that transition correctly so a smart play would be hey we just want to let you know our shared responsibility matrix is null and void at this

[00:31:08] change management process and determine whether it's a significant change I would try to make sure you have that in writing that you've sent it notified them that because now granted you're not providing consulting to them anymore so it's not your responsibility to inform them about their bad choices in the future they have to do that themselves but you might I heard a cop say at the best you might beat the you

[00:31:38] might win your court case but you still could get sued so but if you create good documentation to help sure up early conversations if they start sniffing about how they might want to hold you liable and you're like here's the stuff that's saying that ain't nothing to us if they've got good counsel there look there's nothing here for you to do by you you you're lose

[00:32:07] that's up to you but that's how a good counsel would handle that with them and so having that documentation could help those early discovery processes be a lot easier to kind of ward

[00:32:37] yeah exactly and and I mean you brought up documentation for both of those sides that we talked about for the OSA that's experiencing that significant change the documentation process and getting to another you know a reassessment at a timely fashion is key is key there to be able to track what's happening in your environment that an assessor could come in and understand what has happened is very important so make sure to

[00:33:07] keep the evidence the documentation as well as you know you're somebody like an MSP on on the outskirts of it that's a part of the process or a C3PAO there's all of it I think has to do with really keeping track of those things and the documentation components and being I would like to see a C3PO share their perspective about the FAQ

[00:33:37] if they've gone through and done an assessment and they have found this is you know our kind of Kobayashi Maru no win scenario here would be that they follow change control normally but when they made the significant change they did not follow it you come to assess them and that significant change was a year ago and you discover it in your phase one what do you do right I would hope to God you would

[00:34:06] discover it as a C3PO in phase one right if you didn't then what the air when we're going through and doing a reassessment because they want to look for potentials for the significant change but let's say you find it in phase one what do you do they can't go back in time and fix it

[00:34:36] how do they address it what do you do like you just talk about it and shake hands and say it's not a big deal like it happened the body's been buried you can't resurrect them now and I'm just really curious what would a C-3PO do I don't know how I handle that I would really like to have an answer to that question okay well we might have to

[00:35:13] level two certified and would like to keep their level two certification we care about this stuff and how it's going to be addressed so I mean you can fail them but you fail them once do we come back tomorrow you come back it's still the same problem right so fail them again next week is it going to be okay maybe meet with you then I have a good answer for that yeah interesting stuff all right guys punch not to get hit with is the one you dodged don't be there

[00:35:43] make good choices folks yeah do not put yourself in that situation yes absolutely do not please well I'm going to link all the stuff that we talked about 32 CFR as well as the FAQ down below and also if you're watching this you'll see them up on the screen but make sure to go to YouTube if you want to see the visuals as well while we're talking about them please make sure to comment hey if you're a C3 PAO with experience that you want to

[00:36:20] CMMC right now in the ecosystem you're going to be seeing these things you have seen them and you will continue to see them for a little bit so we hope you enjoyed today's episode of us talking about this stuff again we're going to say at the see the

[00:36:49] podcast but until then guys as always remember to keep on climbing see ya