CMMC - Temporary Deficiency Discussion

The Cybersecurity Maturity Model Certification (CMMC) 32 CFR Part 170 rule has been finalized and published on October 15, 2024. The rule does an excellent job at addressing contractor concerns over various issues. One of the most important changes is with the handling of deficiencies.

'Temporary Deficiency' Defined

The rule section defines a ‘temporary deficiency’ as “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during rollout, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.

FIPS-validated Cryptography

One such issue is practice SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. The practice states, “determine if FIPS-validated cryptography is employed to protect the confidentiality of CUI.”

The SC.L2-3.13.11 Discussion paragraph states, “Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.”

Let’s take the following real-world example:

  • You’ve retrieved the FIPS-validated certificate from the NIST CMVP site.
  • You’ve enabled ‘FIPS Mode’ firmware on your next-generation firewall.
  • You receive a critical vulnerability notification from the vendor & informs you to update to the latest firmware version to remediate the vulnerability.
  • You update to the latest firmware & remediate the vulnerability, which invalidates your FIPS-validated cryptography.
  • You would document this as a ‘temporary deficiency’ in your operational Plan of Action & continue to work with your vendor.
Here's an alt tag for the image: `Critical vulnerability alert: FIPS mode disabled.`