Proposed New Rule for CMMC Program

If you’re a DoD contractor handling Controlled Unclassified Information, the Cybersecurity Maturity Model Certification (CMMC) applies to you. The highly-anticipated new rule lays out the implementation plan for CMMC, including a comprehensive assessment mechanism.

The US Department of Defense (DoD) published a proposed new rule for the Cybersecurity Maturity Model Certification (CMMC), eight guidance documents and new information collections on December 26, 2023.

CMMC compliance helps organizations that work with the defense industry or have suppliers and customers in their defense supply chain meet contractual security requirements to protect Controlled Unclassified Information (CUI) that the DoD or primes share with its contractors and subcontractors. These requirements will be included in defense contracts after rulemaking is finalized. If CMMC applies to you, take the opportunity to review the proposed rule and guidance documents, and provide your feedback before the DoD public comment period closes on February 26, 2024.

A comprehensive assessment mechanism

The CMMC framework was first announced in 2019 and the publication of this latest proposed rule for CMMC 2.0 has generated much discussion amongst the Defense Industrial Base (DIB). The long-anticipated proposed rule lays out the implementation plan for CMMC 2.0, including a ‘comprehensive assessment mechanism’. It is seen by many as an expansion and a tightening up of the previous version in response to ever-growing cybersecurity risks.

The DoD currently requires contractors and subcontractors who handle CUI to meet National Institute of Standards and Technology (NIST) controls. However, there has not been a systematic process for checking that controls are being met. Under the CMMC program, the intention is that organizations are assessed according to the level of CMMC certification required so that compliance is verified prior to contracts being awarded.

New affirmation requirement

Subject to the level of information sensitivity handled by an organization, there are three levels of CMMC certification; level one – assessed via self-assessment, level two – assessed by an independent third party assessor organization, and level three – assessed by DoD.

The proposed rule states that CMMC level two certification will be valid for three years but also requires an affirmation from a senior official to confirm their compliance to the cybersecurity requirements on an annual basis. This requirement would flow down the supply chain to applicable subcontractors too, so is potentially far-reaching.

“When it comes to demonstrating CMMC compliance, third party assessment provides robust and trusted verification that specific security requirements are being met. This is the level of assurance the DoD is seeking with its new proposed rule. C3PAOs play a vital role in helping maintain the DoD’s robust standards for processing, storing or transmitting sensitive information”, says Tony Giles, Director of Information Security at NSF.

Proposed implementation plan

Public comments on the proposed rule and guidance documents need to be submitted by February 26, 2024 and it’s currently expected that the final rule will come into effect in early 2025. Subject to the finalization of the new proposed rule, contracts involving CUI or federal contracting information would be required to demonstrate CMMC compliance by October 1, 2026.

The program is proposed to roll out in four phases.

  • Phase 1: Phase one will see CMMC Level 1 and Level 2 self-assessment requirements rolled out for new solicitations and contracts which involve federal contract information or where the CUI is of a less sensitive nature.
  • Phase 2: Six months later, phase two will see the roll out of level two CMMC requirements for contracts that require third party certification.
  • Phase 3: Level three compliance will take effect during phase three, which will start one year after the second phase. The DoD performs level three assessments which are required for a small percentage of the DIB.
  • Phase 4: One year after the start of phase three, phase four sees full implementation of CMMC requirements in applicable solicitations and contracts.

The proposed rule does allow ‘conditional’ self-assessments and certifications where contractors can defer some requirements into Plans of Action and Milestones (POA&Ms). These must be closed out within 180 days.

Tony Giles, Director of Information Security at NSF gives us his perspective on next steps for DIB contractors.

“We anticipate demand for level two assessments will be high and that the CMMC ecosystem will need time to ramp up. We therefore recommend contractors start their journey to CMMC certification today in order to give themselves enough time to ensure they meet the robust requirements.”

Working with an Assessment Organization

According to the proposed assessment mechanism, those who require level two CMMC certification will need to be successfully audited by an authorized CMMC Third Party Assessment Organization (C3PAO).

C3PAOs are accredited to assess organizations against CMMC requirements, and in March 2023 NSF gained authorization from Cyber AB to verify defense contractors’ compliance to CMMC through independent audits.

NSF also provides assessment services to organizations who require level one self-assessment and are seeking the rigor and robustness that come from working with an independent third party.

You don’t have to wait until the rulemaking is finalized. Get ahead by starting your journey to maintaining your DoD supplier status today. There are a number of ways to prepare. For example, we are able to perform NIST 800-171 gap assessments now, which can provide defense contractors with insight into their organization’s preparedness for a CMMC assessment once the rule is finalized and comes into effect. We are also able to conduct Joint Surveillance Voluntary Assessments for organizations who are ready to be assessed before the CMMC rule becomes final.

Get in touch today to start the conversation