As we start off the New Year , the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program has reached a pivotal milestone with the release of the CMMC Proposed Rule in the Federal Register on December 26th. This development triggers a critical 60-day commentary period and sets the stage for CMMC’s integration into contracts by the fourth quarter of 2024. Let’s discuss some of the insights from the proposed CMMC rule.
Critical Insights from the CMMC Proposed Rule:
- Finalization of CMMC: The publication of this proposed rule is a significant step towards the formal adoption of DFARS 252.204-7021 and the full implementation of the CMMC program. Compliance with the specified CMMC level in contracts will become mandatory for defense contractors.
- Security Controls at CMMC Level 2: The controls required at CMMC Level 2 will align with the 110 controls in NIST SP 800-171 R2, a framework already familiar to many defense contractors handling Controlled Unclassified Information (CUI).
- C3PAO Assessments for CMMC Level 2 Certification: The DoD anticipates that a vast majority (95%) of organizations handling CUI will require an assessment by accredited C3PAOs every three years, impacting over 76,000 companies.
- Plan of Action and Milestones (POA&Ms): Achieving the full 110/110 on NIST SP 800-171 assessments isn’t necessary for CMMC certification. However, a minimum score of 88 is required, and POA&Ms are limited under specific conditions.
- Joint Surveillance Voluntary Assessments (JSVA): Perfect scores on JSVA assessments, with no open POA&Ms, will be directly convertible to CMMC Level 2 certification.
- Encryption Requirements for CUI: Defense contractors and Cloud Service Providers (CSPs) must use FIPS validated cryptographic modules for encrypting CUI to support CMMC Level 2 certification.
- DFARS 252.204-7012 Compliance: The rule confirms that DFARS 252.204-7012, particularly clauses (c)-(g) regarding cyber incident reporting, will remain essential, affecting the use of commercial email systems like Microsoft O365.
Timeline and Comment Submission
The comment period, crucial for influencing the final shape of CMMC, will conclude on February 26, 2024. The DoD will then review and respond to comments, a process that could extend up to 18 months.
Preparing for CMMC Compliance
With CMMC set to be finalized, contractors need to start preparing immediately. As per CyberAB CEO Matt Travis, waiting in hopes of a delayed rule-making is not advisable. The path to compliance involves aligning with NIST SP 800-171, a task that could take small companies 12-18 months.
Becoming CMMC 2.0 compliant will not happen overnight. Depending upon where you are, it could take months or even years to implement everything necessary to retain and obtain DoD contracts.
Companies that fail to comply are at risk of losing existing contracts, having them not renewed, or be eligible to win new contracts. By getting ahead of this now, you could save your organization from great financial harm and business disruption. Not addressing CMMC 2.0 could kill your business.
Access a free copy of our CMMC preparedness checklist now and take the first step towards ensuring the security of your organization’s DoD contracts. This comprehensive checklist will help you understand the basic certification requirements helping you understand where you are in the certification process.