New Year, New CMMC Proposed Rule

On December 26, 2023 the Department of Defense published their proposed rule for the Cybersecurity Maturity Model Certification (CMMC) to the Federal Register. This publication of the proposed rule began a 60-day commenting period that will close on February 26, 2024. The purpose of this proposed rule is to address concerns that members of the Defense Industrial Base (DIB) had related to the DoD’s initial vision for the CMMC program (known as ‘CMMC 1.0’) from September of 2020. Since then, much has changed. CMMC 1.0 transformed into CMMC 2.0, which reduced the complexity of the program and streamlined the requirements. If you are like many other organization’s in the DIB you may have questions surrounding what changes the proposed rule brings or more importantly, what these changes mean to your organization. Continue reading as we analyze the proposed rule to answer these questions!

Requirements prior to the rule

Before diving into the changes that are brought up in the proposed rule, it is important to understand what is currently a requirement for members of the DIB.

All federal contracts, including contracts with the DoD, that receive or handle Federal Contract Information (FCI) are required to follow the requirements specified in the FAR 52.204-21 which requires 15 cybersecurity requirements that are considered “elementary” for any organization to demonstrate their organization is achieving basic cybersecurity. The 15 cybersecurity requirements actually makeup the requirements for CMMC Level 1, therefore the DoD expects members of the DIB who handle FCI to already be compliant with CMMC Level 1.

Next, we move to the DFARS clause 252.204-7012 which is included in most contracts with the DoD where CUI is involved. The DFARS 252.204-7012 clause requires organizations to implement “adequate security” no later than December 31, 2017. But what does adequate security even mean? It means that your organization has to comply with all 110 requirements specified in NIST SP 800-171. If that sounds familiar, that’s because when the CMMC program is finalized, organization’s that are required to be at Maturity Level 2 have to be compliant with all 110 requirements specified in NIST SP 800-171 (in addition to being audited on their implementation of these controls by a 3^rd party). So, to be clear, organization’s that have the DFARS 252.204-7012 clause in their contracts currently have been required to have implemented all 110 controls of the NIST SP 800-171 since 2017.

Moving along with current requirements, in November 2020 the DoD released it’s ‘DFARS Interim Rule’ which brought about two new clauses to supplement the DFARS 252.204-7012 and a third clause, DFARS 252.204-7021, which is not yet a requirement for organizations in the DIB that we will discuss later in the article. The first clause being the DFARS 252.204-7019 which is a requirement your organization is most likely familiar with if it handles CUI. DFARS 7019 requires an organization to conduct a self-assessment, the score of said assessment must be submitted to the DoD through the Supplier Performance Risk System (also known as SPRS).

The second clause brought on by the Interim Rule is the DFARS 252.204-7020 which is essentially a notice to organizations in the DIB with DFARS 7012 requirements that you must grant full access to your facility, systems, and personnel to DoD assessors at any time to essentially “spot-check” your compliance with DFARS 7012 requirements (again, that’s all 110 controls in NIST SP 800-171). Additionally, DFARS 252.204-7020 requires contractors who illicit the services of subcontractors in support of a contract with CUI handling requirements to confirm those subcontractors have a SPRS on file prior to awarding them contracts (this means subcontractor’s handling CUI they receive from your organization have to meet the same “adequate security” that your organization does).

Now that we have discussed the current requirements for organization’s in the DIB that handle CUI in some capacity, now is the time to discuss upcoming changes, specifically those brought up by the proposed rule released last month.

New requirements. What’s changed?

The proposed CMMC rule, as the DoD refers to it, is the proposed rule for the DFARS 252.204-7021 which is titled “Cybersecurity Maturity Model Certification Requirements.” Meaning the proposed rule provides us some insight into what’s to come once the DFARS 252.204-7021 rule is finalized and becomes a contractual requirement for most members of the DIB. It is important to note that the proposed rule is still in a public comment period, meaning the final rule can be revised based on the public comments received.

So what changes have been introduced in the proposed rule? There are a few of importance, such as the ability for a Maturity Level 2 or Maturity Level 3 organization to add specific controls they have not yet implemented to their POA&M, to which they must remediate those controls within 180 days after a self-assessment or 3^rd party assessment (Maturity Level 1 does not have this option for remediation). Additionally, there are much more comprehensive ‘Affirmation Requirements’ which require a senior official to affirm their organization has completed their respective Maturity Level requirements and will continue to adhere to these requirements for as long as contractually obligated. Finally, there is much more information pertaining to organizations with Maturity Level 3 requirements, confirming these organizations will need to implement 24 additional security controls from NIST SP 800-172 in addition to the 110 controls from NIST SP 800-171. However, much of these “changes” were already speculated to be included in the final rule of the CMMC Program.

The truth is, the proposed rule didn’t change much of anything. The CMMC 2.0 program as we know it, is most likely not going to experience any significant changes when the rule is finalized. The best way to think of the CMMC program, and what it means for your organization, is that you will most likely be required to have your organization assessed by a 3^rd party, whether that’s a C3PAO for an organization with Maturity Level 2 requirements, or the DoD for organization’s with Maturity Level 3 requirements.

Timeline

Before getting into what your organization needs to do today, it is important to discuss the DoD’s proposed timeline for the finalization of the CMMC Program. As mentioned before, the public comment period for the proposed rule ends late February of 2024. When this period closes, the DoD will read every comment, and address them accordingly. The comments may or may not result in revisions to the final rule, which does not currently have a projected completion date. It is speculated that the DoD will release the final rule sometime this year.

The DoD is going to utilize a four-phase approach for CMMC Program requirements. Phase 1 begins the moment DFARS 252.204-7021 is finalized (when the final rule is published).

In Phase 1, Level 1 and Level 2 self-assessments will be required for all contracts starting on or after the start date of Phase 1. DoD Project Managers also have the discretion to include CMMC Level 2 Certification Assessment requirements at this time, which means some contracts may require a CMMC Level 2 Certification prior to contract award.

Phase 2 begins 6 months after Phase 1 begins. Phase 2 includes all of the requirements in Phase 1, plus CMMC Level 2 Certification Assessments for applicable DoD contracts as a condition of contract reward. However, DoD may delay this requirement if needed, or may include the CMMC Level 2 Certification Assessment to an option period instead of a condition of contract award. Additionally, at Phase 2, DoD Project Managers have discretion to include CMMC Level 3 certification requirements.

Phase 3 begins 1 calendar year after the start of Phase 2. Phase 3 has the same requirements of Phase 1 and 2, but also requires Level 3 Certification Assessments for applicable DoD contracts as a condition of contract reward. Similar to Phase 2, the DoD may delay Level 3 requirements if needed.

Phase 4 begins 1 calendar year after the start of Phase 3 and will include all CMMC Program requirements for all applicable contracts. The DoD has stated in the proposed rule that it is anticipating reaching Phase 4 by October 1, 2026. In order to get to Phase 4 by October 1, 2026 the rule will need to be finalized by March 1, 2024. While the rule being finalized by March 1, 2024 is unlikely, it does indicate the DoD will most likely not take its time getting the final rule published so it should be expected to be published at any time after the public comment period closes.

What you need to do today

So, what does this new CMMC rule mean for your organization today? The DoD expects your organization to have already implemented the 110 requirements from NIST SP 800-171 as it has been a requirement since December 31, 2017. Therefore, you should be reaching out to C3PAO’s to get a Certification Assessment scheduled as soon as possible as it will be a requirement only 6 months after DFARS 252.204-7021 is finalized. If you have not begun to implement the requirements in NIST SP 800-171 you are exceptionally behind the curve and your organization will most likely be affected once the CMMC Program is finalized. Implementing all 110 controls can take an organization between 9 and 18 months to accomplish, not to mention the time needed to gather appropriate evidence to present to the C3PAO when assessment time comes.

If your organization has waited until now to begin their CMMC journey, you do have the option of working with a CMMC consultant organization (known as a Registered Practitioner Organization) to help you understand and work through the process of implementing the requirements.  Vestige is a Registered Practitioner Organization and has a very active and robust CMMC program.   We invite you to learn more by CONTACTING US today.