Last Updated on January 12, 2024
CMMC 2.0 is being implemented through rulemaking changes to the Code of Federal Regulations (CFR), Parts 32 and 48, including the Defense Federal Acquisition Regulation Supplement (DFARS) within 48 CFR. The CFR applies broadly to the entire US federal government, not just the Department of Defense (DoD). Further, the controlled unclassified information (CUI) that CMMC was created to protect is generated, stored, processed and transmitted across the entire spectrum of US government agencies and their supply chains, not just around DoD contracts.
So, what are the implications of the CMMC rulemaking process for federal contractors outside the US defense industrial base (DIB)?
To share guidance on all aspects of CMMC 2.0 for government contractors, a recent episode of The Virtual CISO Podcast features CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. Hosting the show is Pivot Point Security’s CISO and Managing Partner, John Verry.
Changes are coming for all federal acquisitions
As Caleb explains, the DoD’s proposed changes to 32 CFR and 48 CFR are mainly confined to the chapters within those rules that the DoD controls (e.g., 48 CFR Chapter 2, which is the DFARS rules). But these changes will also impact the FAR CUI rule, which applies to all federal government contractors that handle CUI.
“It’s going to be really interesting to see, when the new FAR CUI rule hits and it starts getting thrown into contracts for companies outside the DIB,” observes Caleb. “Even inside the DIB we’ve been dealing with this for five or six years now from a contractual perspective, and there are people who still don’t know and are caught off guard. I fear we’re going to have the exact same thing happen for the rest of the industry that is not in the DIB, and is not having this pushed at them so harshly right now.”
Early warning signs
Early warning signs are already flashing, such as language in the Polaris GWAC going out to IT service providers. Likewise, the US Department of Education (DoE) has already let institutes of higher education know that they should start preparing for compliance with NIST 800-171.
“It’s going to be interesting to see how CMMC will develop over the next few years,” Kyle offers. “If it’s successful, other federal agencies will probably adopt it. Because now it’s aligned NIST 800-171, which is federal and not just DoD. So, if this program is successful, it seems likely that GSA, Homeland Security, the Department of State, they will express interest.”
What’s next?
To hear this valuable guidance on CMMC 2.0 straight from John, Caleb and Kyle, click here.
Concerned about CMMC 2.0 compliance deadlines? Here’s one more reason to get your program in gear now: CMMC 2.0 and NIST 800-171—Pressure from Primes Could Accelerate Compliance Timeframes