DoD Releases Proposed Rule to Officially Implement CMMC

Recently, the Department of Defense (DoD) took a significant step forward in bolstering cybersecurity across its contractor base by releasing a Proposed Rule to officially implement its Cybersecurity Maturity Model Certification (CMMC) program. This move underscores the DoD's commitment to protecting sensitive information and ensuring the integrity of its supply chain.

Understanding the Proposed Rule

Published in the Federal Register on December 26, 2023, the Proposed Rule spans 234 pages, providing detailed insights into the requirements for DoD contractors, sub-contractors, and assessment organizations. CMMC provides security requirements for DoD contractors, sub-contractors, and assessment organizations (C3PAOs).

With this proposed rule, despite no change or delay regarding requirements previously provided for in NIST 800-171, there are several key highlights to note:

CMMC Levels and Requirements

The CMMC framework retains Levels 1, 2, and 3 from the tiered model of CMMC 2.0.

• Level 1: The most basic CMMC certification, Level 1 follows a 54-page assessment guide outlining 17 controls.
• Level 2: This level aligns with the security controls outlined in NIST SP 800-171 Rev2. Level 2 follows a 270-page assessment guide outlining 320 assessment objectives and 110 controls, inclusive of Level 1. Any companies handling Controlled Unclassified Information (CUI) must achieve CMMC Level 2 to continue supporting DoD contracts.
• Level 3: Considered the Expert level, most companies will not need this level of certification. Level 3 outlines over 110 controls, inclusive of Level 2, with practices based on NIST SP 800-172.

Assessment Mandates

Assessments will be mandatory at all levels, with varying frequencies. While Level 1 requires an annual self-assessment, Level 2 necessitates third-party certification assessments, and Level 3 mandates DoD certification assessments. All levels will also require annual affirmation from senior company leadership. In addition,

• Level 1: Approximately 140,000 companies, at Level 1 will require an annual self-assessment with affirmation from company leadership.
• Level 2: Approximately 80,000 companies required at Level 2 will require a tri-annual third-party certification assessment with annual affirmation from company leadership. Only a small portion of Level 2 companies (about 4,000) can self-assess.
• Level 3: Only about 1,500 companies falling into Level 3 will require a DoD sanctioned certification assessment with annual affirmation from company leadership.

Use of Plans of Action and Milestones (POAMs)

With NIST 800-171, POAMs are permissible for unmet requirements. However, CMMC imposes stricter guidelines. In CMMC, POAMs are only acceptable if a company attains a minimum NIST 800-171 assessment score of 88 (or 80%). In addition, POAMs are limited to the 1-point controls. POAMs must be closed within 180 days, and a reassessment is required upon completion. Given the costs of assessments, using POAMs to meet CMMC requirements will be difficult and costly.

Cost Impacts

The DoD maintains that contractors should already have the required NIST 800-171 Rev2 controls in place as required since 2017 and only costs that they utilized in their impact analysis were the costs of certification assessments. Based on the DoD’s estimates, Level 2 certification assessments may exceed $100,000 per assessment. This high cost underscores the financial implications for contractors, making preparation and documentation essential to minimize the risk of failing an assessment.

Enhanced Oversight and Accountability

Company leadership faces increased scrutiny, even at Level 1, necessitating a formal self-assessment process and annual affirmation. Some existing POAMs may no longer be allowed to carry into CMMC certification, and insufficient or incomplete cloud or IT/cybersecurity support services could result in failed audits and additional expenses. Failure to adhere to documentation requirements or provide annual affirmation or submission to the Supplier Performance Risk System (SPRS) may expose contractors to liability under the False Claims Act.

These requirements will also apply to any outside services your company utilizes. Outside services, including Cloud Service Providers (CSPs) and Managed Service Providers (MSPs), should be reviewed to ensure they also satisfy all requirements of the CMMC Rule and DFARS 252.204-7012. In other words, MSPs that handle CUI or Security Protection Data must meet at least the same CMMC-level requirements that apply to the contractors they serve.

Roadmap for Compliance

Given the phased rollout of CMMC, contractors should prepare accordingly in 2024. At SSE, we are prepared to help your company ensure all requirements are met to help you secure contract requirements.

SSE Compliance Planning

• Initial Readiness Assessment: The SSE team will work through a complimentary survey to help review the current environment and future needs of your company, the existing security posture, including the System Security Plan (SSP) and POAMs, and existing IT tools. All of this information will allow us to create an overall estimation of current readiness for CMMC and NIST 800-171.
• Defining the Scope of Your Company’s Tasks: We first dig into your company’s current contract requirements, such as whether you handle Federal Contract Information (FCI) or CUI. It’s important to understand several aspects, such as where CUI is or will be stored or whether it’s possible to isolate CUI in a potential “enclave” to reduce your scope and cost.
• Gap Assessment: During our Gap Assessment, one of our CMMC Registered Practitioners will conduct a comprehensive analysis, focusing on NIST 800-171 and CMMC Level 2’s 110 controls. The deliverables you can expect to receive in a Security Assessment Report (SAR), include a detailed NIST 800-171 Assessment score, information for a SSP and POAMs for all unmet requirements.

Looking Ahead

With the public comment period having closed on February 26, 2024, adjudication phase of the public comments is now underway. Finalization of the Rule and CMMC appearance in DoD contracts is expected between April 2024 and early 2025.

Prepare Your Company for CMMC Compliance with SSE

The DoD's Proposed Rule on CMMC implementation means that companies are running OUT OF TIME to put off compliance obligations. By adopting a strategic approach to compliance, contractors can strengthen their cybersecurity posture and uphold their commitment to safeguarding sensitive information.

Our experts will help you prepare for certification with confidence! To learn more about the DoD’s Proposed Rule for officially implementing CMMC, contact SSE or schedule your complimentary CMMC readiness assessment online today.