Blog

Introduction 

On December 26, 2023 the Department of Defense (DoD) unveiled the long-anticipated Proposed Rule for the Cybersecurity Maturity Model Certification (CMMC) Program,  sending a clear message to defense contractors that CMMC is happening sooner than many thought, and that those taking a “wait and see” attitude can no longer wait to prepare. This release not only proposed the codification of the CMMC program but also introduced version 2.11 of essential program documents, offering clarity on various aspects that were previously speculative. In this blog, we will delve into the key elements of the Proposed Rule, exploring the implications and strategies for defense contractors aiming to ensure CMMC compliance. 

Understanding the Proposed Rule 

The Proposed Rule outlines the DoD’s commitment to gaining assurance of consistent implementation of existing cybersecurity requirements within the Defense Industrial Base (DIB) before contract award. With the proposed codification in 32 CFR Part 170 and the introduction of version 2.11 documents, including scoping and assessment guides for each CMMC level, the DoD aims to provide a structured framework for contractors to meet the evolving cybersecurity landscape. 

Key Highlights of CMMC Levels 

CMMC comprises three tiers, each escalating in assurance, tailored based on the sensitivity of information involved in contracts: 

1. Level 1 (FCI): Mandates an annual self-assessment of 15 security controls outlined in Federal Acquisition Regulation (FAR) requirements for safeguarding Federal Contract Information (FCI) with an annual affirmation of continued compliance. 

1. Level 2 (CUI): Requires a triennial assessment of 110 security controls aligned with the National Institute of Standards and Technology (NIST) SP 800-171 Rev 2 standard for safeguarding Controlled Unclassified Information (CUI). Assessments can be self-assessments or third-party assessments, based on the DoD’s evaluation of information security risks. The vast majority (95%) of level 2 assessments will be performed by independent C3PAOs. 

1. Level 3 (CUI): Imposes new supplementary safeguards on CUI, necessitating a triennial Government-run assessment by the DCMA DIBCAC. Additionally, an annual affirmation of continued compliance is required. Level 3 is reserved for the most sensitive programs. 

Noteworthy, the assessments and affirmations for all three levels will be reported to the DoD’s Supplier Performance Risk System (SPRS), offering visibility into the compliance status of contractors and subcontractors. 

External Service Providers (ESPs) in Focus 

A significant revelation in the Proposed Rule is the clarification of how External Service Providers (ESPs), including Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), will be treated under CMMC. The new guidance states that ESPs, serving CMMC Level 2 or higher systems, must comply with CMMC requirements at a level equal to or higher than the systems they support. This means that these service providers will need to obtain a CMMC Final Certification Assessment at Level 2 or 3, even if they are not direct contractors or subcontractors on a government contract. 

This requirement extends to ESPs handling not only Controlled Unclassified Information (CUI) but also Security Protection Data like log data or configuration data. It aligns with existing requirements for Cloud Service Providers (CSPs) but introduces new challenges for ESPs, particularly those servicing the commercial market. Many ESPs may find it challenging to retrofit their systems to comply with CMMC requirements, potentially impacting their ability to support government contractors. 

Enclaving as a Fast-Track Compliance Strategy 

The CMMC Program emphasizes the need for contractors to be ready to handle FCI and CUI immediately upon contract award. This shift necessitates a change in approach, anticipating the required capability before contract award. The Proposed Rule introduces the concept of “enclaves,” allowing contractors to create designated cloud-based micro-scale enclaves specifically for FCI and CUI. 

Enclaves, if designed in alignment with NIST and FedRAMP standards, offer a streamlined and scalable path to CMMC compliance. By leaving the existing IT infrastructure out of scope, cloud-based enclaves present a fast on-ramp to compliance, adaptable to the size and capability needed as FCI and CUI are generated or shared under future contracts. 

Increased Focus on FCI 

The Proposed Rule separates Level 1 (FCI protection) and Level 2 (CUI protection) requirements, aligning directly with underlying source standards such as FAR 52.204-21 and NIST SP 800-171 Rev 2. In many organizations FCI is available to a broader portion of its population and resident in other information systems. This distinction necessitates a separate FCI scope, self-assessment, and affirmation for all contractors and subcontractors. It also emphasizes that Level 1 and Level 2 assessments, along with affirmations, should be separate, though concurrent assessments can be performed if the scope of systems handling FCI and CUI is the same. 

Timely Action for Compliance 

The clock is ticking as the Proposed Rule marks the beginning of a multi-year phase-in period, aiming for CMMC inclusion in all solicitations issued on or after October 1, 2026. Contractors should not delay in taking decisive action, considering the existing requirements in the FAR and DFARS that are not being altered. 

Conclusion 

The DoD’s Proposed Rule for the CMMC Program introduces crucial changes and insights that demand swift action from defense contractors. With a clear focus on external service providers, enclaving strategies, and increased scrutiny on FCI protection, contractors must proactively align their compliance strategies with the evolving requirements. The time for preparation is now, ensuring that all aspects of the contractor’s ecosystem, including ESPs, are ready to meet the challenges posed by the CMMC Program. As the public comment period closes on February 26, 2024, defense contractors should be poised to adapt and thrive in the new era of cybersecurity requirements outlined by the DoD.