The Wait Is Over…The Final CMMC Rule Explained
The publication of the final program rule for the Cybersecurity Maturity Model Certification (CMMC) Program, 32 CFR Part 170, in the Federal Register on October 15, 2024, was an important milestone toward ensuring the confidentiality of sensitive defense information and stemming the theft of that information by foreign adversaries. The rule becomes effective and the CMMC Program comes into existence on December 16, 2024.
While CMMC’s core concepts remain intact from the initial release of CMMC 2.0 in November 2021, there are many important changes in final program rule, as well as important clarifications. The rule itself is not an easy read. It’s 470 pages, 140,000 words, is acronym-laden and full of internal cross references and external references.
The webinar “The Wait is Over…The Final CMMC Rule Explained”, jointly produced by NeoSystems, FutureFeed, and Holland & Knight, distilled the final rule’s key elements, explaining the structure, requirements, timeline, caveats, and risks. This blog summarizes the discussion between Stuart Itkin, James Goepel, and Eric Crusius.
Why the CMMC Program Exists
The CMMC program was established to enhance the security of the defense supply chain. As Stuart Itkin from NeoSystems stated during the webinar, “If you’re with us today, then you’re aware that the CMMC final rule was published this week in the Federal Register.” The rule creates an enforcement mechanism designed to ensure that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are safeguarding that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.
Key Features of the CMMC Rule
The CMMC framework categorizes contractors into three levels based on the sensitivity of the information they handle:
- Foundational (Level 1): Basic cybersecurity measures for contractors dealing only with Federal Contract Information (FCI).
- Advanced (Level 2): Involves more stringent controls for those handling Controlled Unclassified Information (CUI).
- Expert (Level 3): The highest level of security for contractors working with Highly Sensitive CUI on critical DoD programs.
Understanding the Rollout Timeline
The rollout of the CMMC program is structured in four phases, which will likely start late in the first calendar quarter or early in the second calendar quarter of 2025. Each phase involves different levels of assessment, requiring contractors to submit self-assessments and undergo third-party assessments conducted by C3PAOs. It’s essential for contractors to stay ahead of these timelines to avoid last-minute scrambles in compliance.
The Importance of External Service Providers
Achieving and maintaining compliance can be daunting. External Service Providers (ESPs) can offer invaluable support. They provide expertise and resources that may not be available internally, ensuring that your organization can meet the CMMC requirements efficiently.
Jim Goepel from FutureFeed highlighted the critical role of ESPs, emphasizing that “the process involved in the assessment includes examination, interviews, and testing to validate cybersecurity programs.” Partnering with experienced providers ensures that each step is conducted thoroughly and accurately.
An Important Change in External Service Provider Requirements
The Proposed CMMC Program Rule published in December 2023 required Managed Service Providers (MSP) and Managed Security Service Security Providers (MSSP) to be certified at a minimum at the same level as their clients. Specifically, it stated, “If the OSA utilizes an External Service Provider (ESP), other than a Cloud Service Provider (CSP), the ESP must have a CMMC Level 2 Final Certification Assessment.”
The final rule, however, has no certification requirement for MSPs or MSSPs. This leaves the responsibility with defense contractors to ensure that the service providers they select are qualified and capable of delivering the services required.
Annual Affirmation
As Holland & Knight’s Eric Crusius explained, the final rule requires companies that receive a third-party assessment or undergo a self-assessment (no matter which level) file annual affirmations from an “affirming official”, someone who is responsible for ensuring the company’s compliance with the CMMC Program requirements and has the authority to affirm the company’s continuing compliance with the specified security requirements for their respective organizations. Frequent affirmations, however, create risk under the False Claims Act.
Navigating the Assessment Process
The assessment process is multi-faceted, involving examination, interviews, and testing to validate conformance with (at level 2) the 320 assessment objectives. A typical assessment could take around 200 assessor hours and cost between $50,000 to $60,000, even for a simple evaluation. Achieving CMMC Certification should be viewed as an investment in security and trustworthiness, underscoring to the DoD and your partners that security is a top priority.
Certification
CMMC Certification, under the Final Rule, becomes a condition of contract award. In the Final Rule, Plans of Action and Milestones (POA&M) are allowed for levels 2 and 3. A defense contractor can receive a Conditional Certification if a minimum assessment score of 80% is achieved including all mandatory requirements, and that POA&Ms exist for all NOT MET items.
The Conditional Certification is sufficient to receive an award, but all POA&M items must be closed and re-assessed as “MET” within 180 days. The Conditional Certification then becomes a Final Certification. If the POA&M items are not successfully remediated within the 180 days, the Conditional Assessment is rescinded, and the contractor will need to start the process at the beginning
The Road Ahead
The webinar provided an overview of the final CMMC rule, but there is still much to understand. While we’ve tried to summarize key takeaways from the webinar in this blog, everything presented in the webinar isn’t included here, and there is much more in the final rule that we simply weren’t able to get to. The devil is in the details and there are a lot of details. While meeting all assessment objectives is required to become CMMC certified, being secure requires diligence, making security a forethought, not an afterthought. The cybersecurity landscape is complex and constantly changing.
When it comes to addressing CMMC, rely on resources that understand the requirements and how they will be assessed. Never guess or assume. Consider consulting a competent attorney or cybersecurity expert to validate your compliance strategy. Every organization’s needs and circumstances are unique.
Conclusion
The final CMMC rule is here, and it’s crucial for defense contractors to understand its requirements and implications fully. With the right knowledge and partnerships, achieving and maintaining compliance will not only protect the sensitive information with which you are entrusted and that you create, but also enhance your organization’s integrity and trustworthiness within the defense sector.
The wait is over—take action today.