DoD CMMC Proposed Rule has been released! — What Next?

On December 26th, the Cybersecurity Maturity Model Certification (CMMC) proposed Rule was officially released for review. The comment period is open through 26 February 2024, and publication of the title 48 CMMC Rule is not expected until March. The final rule itself won’t likely go into effect until early 2025.

The proposed rule reaffirmed that defense contractors and subcontractors that have access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be required to demonstrate the “maturity” of their cybersecurity programs against a set of increasingly advanced capabilities based on the 110 controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2. It also places comparable requirements on managed service providers. The CMMC program will require most contractors that process CUI to obtain a third-party certification that they have successfully implemented these 110 cybersecurity controls. (Contractor’s handling CUI are already required to comply with NIST SP 800-171 through Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012), but only a self-attestation is currently required. Failure to obtain a CMMC certification will mean a contractor is prohibited from receiving any federal contract that contains the CMMC FAR clause.

CMMC 2.0 includes three distinct levels of compliance. Contractors only handling Federal Contract Information (FCI) will be required to obtain a Level 1 assessment, which is a self-certification consistent with the requirements in FAR 52.204-21 and required compliance with 17 of the 110 controls. This is strictly a self-assessment, though it may be worthwhile to obtain the services of a Registered Practitioner Organization (RPO), such as BSC, just to ensure that you only require Level 1 and to provide some cost-effective strategies for meeting the seventeen requirements. For CMMC Level 2, DoD requires compliance with the 110 controls defined in NIST 800-171 Rev. 2 and, depending on the contract, requires either a Self-Assessment or a Certification Assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). For CMMC Level 3, DoD will include the requirements of Level 2 and add specific requirements from NIST SP 800-172.

The proposed CMMC Level 2 and Level 3 generally align with DFARS 252.204-7012 (i.e., compliance with NIST SP 800-171), with important additions:

  • Limitations on POA&Ms: POA&Ms are limited to specific security controls and must be mitigated within 180 days of the assessment. 
  • Assessments: The proposed rule contemplates two types of assessments: Self-Assessments performed by the contractor and Level 2 Certification Assessments performed by CMMC Third-Party Assessment Organizations (C3PAOs). CMMC Level 2 Certifications and Self-Assessments are valid for up to three years. 
  • Managed Service Providers: DoD will require managed service providers to be compliant with NIST 800-171 Rev. 2, and the type of assessment should be consistent with the organization hiring them.  
  • Subcontractors: Prime contractors and higher-tier subcontractors must “require subcontractor compliance,” but the proposed rule does not require prime contractors or subcontractors to monitor subcontractor compliance. The CMMC Level that will apply to a subcontractor is the CMMC Level that aligns with the type of information the subcontractor processes, which may be different from the CMMC Level that applies to the prime contractor.
  • Affirmations: Defense contractors must affirm compliance with the applicable CMMC Level after each assessment, after POA&M closeout, and annually thereafter. Affirmations must be submitted by a “senior official” of the contractor.  
  • Timing:  DoD plans to implement CMMC in four phases over a three-year period:
  • Cloud Services: Cloud products and services will be subject to CMMC and must meet the FedRAMP Moderate Baseline security requirements to achieve CMMC Level 2. CSP offerings are considered CMMC Level 2-compliant if they are FedRAMP Authorized at the FedRAMP Moderate baseline. On-premises cloud offerings must have an SSP and CRM and be assessed as part of CMMC assessments.

The DoD proposes an aggressive rollout, with self-assessments required on all new contracts immediately after the final rule is effective and third-party assessments on all applicable contracts at the start of Phase 2, which is six months after final rule implementation.

Now is the time to get ready.  As an RPO, BSC Systems, Inc. can provide the assistance you need including guidance and templates to help you and your subcontractors meet the CMMC requirements. BSC has been providing this service since CMMC was announced in 2019. BSC scored a perfect 110/110 in meeting all the requirements of CMMC Level 2 and NIST SP 800-171 Rev 2 for our own internal program and for multiple clients that sought out our services.  In addition, our clients have successfully completed DIBCAC and Agency Approval to Operate (ATO) assessments, so we also know what the DoD is looking for. For example, detailed policies and procedures are required, and all procedures and plans must specifically state how the control is implemented with documented evidence and not merely a parroting back of the controls. So even if you think you’re NIST 800-171 compliant based on a self-assessment, our quick gap analysis can help clarify whether THEY will think you’re compliant. We have a track record of success: BSC has been performing FISMA and HIPAA reviews for the past 15 years, and NIST 800-171 is essentially a subset of NIST 800-53 — so we have a proven track record and years of experience implementing these controls.