Last Updated on February 14, 2024
On December 26, 2023, the US Department of Defense (DoD) issued a much anticipated proposed rule that seeks to “…establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) program, implemented required security measures…”
CMMC’s purpose is to improve cybersecurity across the vast US defense industrial base (DIB) to reduce rampant breaches and intellectual property loss.
This post shares answers to nine of the top questions DIB companies are asking about the proposed rule and CMMC rollout.
Top Questions DIB companies are Asking –
Q1: What is the CMMC proposed rule?
The CMMC 2.0 program will enable the DoD to verify that a defense supplier has implemented all contractually mandated security requirements and is maintaining compliance throughout the contract period. CMMC’s focus is on protecting controlled unclassified information (CUI) and federal contract information (FCI).
The CMMC proposed rule implements the CMMC 2.0 program that was initially announced in November 2021, including clarifications and changes based on public comment and industry input.
Like prior steps in the CMMC rollout, the CMMC proposed rule does not greatly change the DoD cybersecurity requirements that have been in place for DIB entities since 2019. These include:
- Implementing the controls in NIST 800-171 Rev. 2
- Documenting your NIST 800-171 Rev. 2 compliance status, including plans of action and milestones (POA&Ms) to address any compliance gaps, in a System Security Plan (SSP)
- Recording your self-attested compliance score in the DoD’s Supplier Performance Risk System (SPRS), along with signed authorization by a senior leader
Q2: How are DIB companies viewing the CMMC proposed rule?
Many defense contractors and subcontractors are experiencing relief that there is now definitive clarity on the CMMC rollout, and the program will not be derailed. This is especially true for those businesses currently in compliance with DoD cybersecurity requirements.
The proposed rule also eases concerns among Certified Third-Party Assessment Organizations (C3PAOs) that the rollout period could have been as short as 90 days, driving tens of thousands of organizations to seek CMMC certification at the same time. Instead, there will be a two-year ramp-up period for compliance audits.
Another factor bringing DIB-wide relief is no new control requirements for DIB suppliers that will need to comply with CMMC Level 1 (Foundational) or CMMC Level 2 (Advanced). Attestation requirements for CMMC compliance are also unchanged. In addition, the proposed rule clarifies longstanding questions about CMMC Level 3 (Expert), including control requirements. CMMC Level 2 is the baseline requirement for organizations that handle CUI.
Q3: What is the new CMMC timeline and implementation target date?
Here are pertinent CMMC dates and time periods:
- November 2019—CMMC announced.
- September 2020—CMMC 1.0 program initiated.
- November 2021—CMMC 2.0 announced.
- December 26, 2023—proposed rule codifies CMMC 2.0 with adjustments.
- February 26, 2024—60-day comment period on the proposed rule ends.
After receiving final comments, the DoD will roll out CMMC in four phases over 2.5 years:
- Phase 1 starts on the date when the final CMMC rule becomes effective (i.e., when the DFARS 7021 revisions become effective). At that point, CMMC Level 1 or CMMC Level 2 self-assessments will be required for contract award. The DoD further reserves the right to require third-party CMMC Level 2 assessments as part of certain contracts during Phase 1.
- Phase 2 will start six months after Phase 1 began. Third-party assessments will then be required to achieve CMMC Level 2 certification. The DoD will also begin including CMMC Level 3 certification requirements on some contracts.
- Phase 3 will begin one year after Phase 2 started. Now the DoD will extend CMMC Level 2 certification assessment requirements to contracts awarded prior to the start of Phase 1. From there, the DoD will not exercise options on existing applicable contracts where the supplier has not passed an independent CMMC Level 2 assessment. In addition, the DoD will continue to add CMMC Level 3 requirements as applicable.
- Phase 4 will begin one year after Phase 3 began. This phase will usher in full CMMC program implementation. The DoD will start including all CMMC requirements in all contracts and solicitations, including option periods on current contracts.
Based on longstanding precedent, the final comment period can be expected to last at least one year, despite many comments likely being redundant to earlier comment periods. That puts Phase 1 start in early 2025, Phase 2 start in mid 2025, phase 3 start in mid 2026, and phase 4 start in mid 2027.
As stated in the proposed rule, the DoD believes that this phased approach will address ramp-up issues and provide adequate time to train assessors and perform the tens of thousands of required assessments. The DoD reserves the right to consider a future extension to the four-phase implementation period to “mitigate any C3PAO capacity issues.”
Q4: What does the proposed rule say about “external service providers” (ESPs), third-party risk, and flowdown of requirements?
An external service provider (ESP) in CMMC terms could be a cloud service provider (CSP), managed service provider (MSP), managed security service provider (MSSP), or other third-party vendor that has access to IT resources in scope for your CMMC implementation.
The proposed rule indicates that the DoD, and hence CMMC compliance assessors, will be placing particular emphasis on third-party risk management (TPRM). This applies primarily to vendors with access to environments or systems holding CUI.
The key to compliance will be to demonstrate that you have properly assessed, quantified, and addressed those third-party cyber risks. Further, vendors whose systems operate in CUI environments will need to be certified at CMMC Level 2 just like their customers.
Organizations working with prime and large sub-prime contractors may need to demonstrate CMMC well before the final rollout. Many smaller suppliers are already seeing questionnaires and other pressures from primes looking to manage flowdown obligations across thousands of subcontractors.
For many DIB orgs that have delayed implementing CMMC controls as long as possible, flowdown requirements from customers will be the impetus to finally proceed.
Q5: When can my organization get a CMMC certification assessment?
Since certification requirements are now established for all three CMMC levels, can organizations seeking certification (OSCs) get an independent CMMC certification from a C3PAO today?
Official CMMC certifications cannot happen until comments are resolved and the CMMC final rule is in effect, probably in Q1 or Q2 2025. There will likely be a rush to schedule certification assessments as that time approaches. DIB orgs that have not already connected with a C3PAO and setup an assessment should do so ASAP.
But while CMMC certification is not yet officially available, companies can take significant steps in that direction. One such step would be a NIST 800-171 Rev. 2 compliance gap assessment. This will illuminate all the key changes you must make for CMMC Level 2 compliance.
Conducting a NIST 800-171 Rev. 2 gap assessment or CMMC 2.0 internal audit now offers several benefits to DIB orgs, including:
- Making the upcoming compliance assessment much less potentially risky and/or challenging
- Empowering you to share bona fide status and progress with your senior management and other stakeholders
- Supporting executive sign-off on your NIST 800-171 Rev. 2 compliance in SPRS
- Building a relationship with a registered provider organization (RPO) to help streamline your CMMC compliance process
- Potentially enabling you to schedule an official CMMC Level 2 assessment with a C3PAO and “avoid the rush”
Q6: What does the proposed rule say about CMMC Level 3?
CMMC 2.0 Level 3 requirements focus on decreasing the risk from Advanced Persistent Threats (APTs) and nation state adversaries. Compliance with this “Expert” CMMC level will be required only for suppliers working with “high priority” CUI that is critical to national security, e.g., missile programs and other weapons systems programs.
The proposed rule clarifies that CMMC 2.0 Level 3 defines 134 required controls, including the 110 NIST 800-171 Rev. 2 controls plus 24 additional controls from NIST 800-172.
Contractors mandated to achieve CMMC 2.0 Level 3 certification must undergo a DoD compliance assessment. POA&Ms are allowed for “selected requirements” but must be closed out within 180 days of the assessment.
Q7: What does the proposed rule say about reciprocity with other cybersecurity certifications?
Section 10 of the proposed rule, Acceptance of Alternate Standards, addresses the relationship between CMMC compliance and related standards, notably NIST 800-171 Rev. 2 and FedRAMP Moderate or High.
Currently there is no official ability to leverage the results of other cybersecurity assessments, such as an ISO 27001 certification or a SOC 2 report, as part of a CMMC certification assessment. However, the DoD acknowledges the synergy between other comprehensive cybersecurity frameworks and CMMC.
Insight from other frameworks can help inform an understanding of how CMMC controls should operate. More explicit reciprocity among cybersecurity standards and CMMC may be forthcoming.
The proposed rule further specifies that, “In order to avoid duplication of efforts, thereby reducing the aggregate cost to industry and the Department, OSCs that have completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping will be eligible for CMMC Level 2 Final Certification Assessment” under certain conditions. The CMMC assessment would be valid for a three-year period from the data of the original DIBCAC assessment.
For defense contractors that will need to concurrently manage both an ISO 27001 information security management system (ISMS) and CMMC 2.0 compliance, a strong option to minimize duplication of effort would be to bring CMMC compliance within the scope of your ISMS.
Q8: Will executive sign-off requirements drive CMMC internal audits and NIST 800-171 Rev. 2 compliance assessments in the coming months?
The proposed rule does not significantly change the established requirement for “a senior organization official” to affirm on a yearly basis that a firm’s NIST 800-171 self-assessment report in SPRS is valid.
But with CMMC 2.0 rollout progressing along with elevated DoD scrutiny, this level of personal legal accountability is likely to motivate many DIB leaders to inquire about compliance evidence.
To reduce legal risk, many companies will look to RPOs and other cybersecurity consultants to provide attestation of compliance through a CMMC internal audit or NIST 800-171 Rev. 2 gap assessment process.
Q9: What’s next?
For more guidance on this topic, listen to Episode 131 of The Virtual CISO Podcast with guests Jeff Carden and Warren Hylton, Federal Risk & Compliance Consultants at CBIZ Pivot Point Security.