The General Overview and Current Status of CMMC
The Cybersecurity Maturity Model Certification (CMMC) is approaching a critical milestone as two key rules governing the program—32 CFR Part 170 and 48 CFR Part 252—are near finalization.
With the first rule expected to be published by late 2024 and the second following soon after, contractors across the Defense Industrial Base (DIB) must prepare for the official implementation of CMMC requirements.
These rules not only establish the framework for protecting sensitive information but also embed cybersecurity standards into defense contracts, making compliance essential for securing and renewing Department of Defense (DoD) contracts.
This article provides a comprehensive overview and the current status of the CMMC program, its certification levels, and the steps contractors should take now to ensure they are ready for the upcoming changes.
Where Does the Final Release of the CMMC Program Stand, and When Is It Expected to Be Released?
The CMMC Program Is Governed by Two Key Rules:
32 CFR Part 170 (The CMMC Program Rule)
This rule cleared the review by the Office of Information and Regulatory Affairs (OIRA) on September 15, 2024. It has been sent back to the Department of Defense (DoD) for final questions and answers, formatting, and preparation for publication in the Federal Register. It is expected to be published by mid-to-late October 2024. Once published, the rule will have an effective date, likely with a 60-day delay, which could make the program effective as early as mid-to-late December 2024.
48 CFR Part 252 (CMMC Contract Rule or DFARS Rule)
This rule is currently in the public comment period, which will end on October 15, 2024. After the comment period, the feedback will be reviewed, and the final rule will be prepared for publication. The publication of this rule will officially link CMMC requirements to defense contracts.
It is anticipated that 32 CFR Part 170 will be finalized and published in late 2024 and 48 CFR Part 252 will be finalized and published in early 2025. Once this happens, CMMC requirements will be officially implemented. 32 CFR Part 170 will establish the program framework, while 48 CFR Part 252 will integrate these requirements into defense contracts.
What are 32 CFR and 48 CFR, and Why are They Important to the Launch of CMMC?
“The Program Rule”:
32 CFR Part 170 outlines the Cybersecurity Maturity Model Certification (CMMC) framework. It sets the cybersecurity standards that defense contractors must follow to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
“The Contract Rule”:
48 CFR Part 252 is the Defense Federal Acquisition Regulation Supplement (DFARS) that integrates CMMC requirements into defense contracts. It specifies the mandatory CMMC compliance clauses (e.g., DFARS 252.204-7021) for all relevant DoD contracts.
Importance to CMMC Launch:
Legal and Contractual Framework:
These regulations provide the legal basis to enforce CMMC standards across the Defense Industrial Base (DIB).
Cybersecurity Compliance:
They mandate that contractors meet CMMC requirements to handle sensitive information securely, safeguarding national security.
Implementation and Oversight:
Both regulations guide the phased rollout of CMMC and establish reporting requirements, ensuring ongoing compliance and accountability.
Together, 32 CFR and 48 CFR are essential for making CMMC a mandatory and enforceable part of defense contracting, ensuring that all contractors adhere to standardized cybersecurity practices.
When Are CMMC Requirements Expected to Be Added to Defense Contracts?
CMMC requirements are expected to begin appearing in DoD contracts in early to mid-2025. There will be a phased rollout over three years, gradually enforcing CMMC requirements across all tiers of the defense industrial base (DIB).
By the end of these three years, all contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to have the appropriate CMMC certification.
Can a Contractor Be CMMC Certified Without a Third-Party Assessment?
For CMMC Level 1, an annual self-assessment is sufficient. However, Level 2 typically requires a third-party assessment every three years to verify compliance with NIST SP 800-171 controls.
What Is the Role of a Third-Party Assessor, and How Do They Fit Into the CMMC Certification Process?
Certified Third-Party Assessment Organizations (C3PAOs) conduct independent assessments to verify a contractor’s compliance with CMMC Level 2 requirements. Their certification is a prerequisite for contractors to be eligible for certain DoD contracts.
Core Business Solutions can recommend C3PAO’s who are focused on small business.
Compliance Obligations and Flow-Down Requirements
How Does Flow-Down Work, and Who Does It Affect?
Flow-down requirements mandate that prime contractors ensure all subcontractors and suppliers also comply with CMMC requirements. This includes inserting specific CMMC compliance clauses in subcontracts and ensuring that subcontractors conduct annual affirmations of compliance.
Prime contractors must verify that their subcontractors and suppliers are maintaining the required CMMC levels and submit annual affirmations of compliance, especially for those handling FCI and CUI. Non-compliant subcontractors can impact the prime contractor’s eligibility for DoD contracts.
What Are Annual Affirmations of Compliance, and Why Are They Important?
Contractors must submit an annual affirmation of continuous compliance with CMMC security requirements. This affirmation must be validated in the Supplier Performance Risk System (SPRS) using a DoD Unique Identifier (UID). These affirmations ensure that contractors are consistently meeting their cybersecurity obligations.
How Will the Supplier Performance Risk System (SPRS) Be Used in the CMMC Process?
SPRS will be used to report compliance status, store affirmation of compliance, and track unique identifiers for each contractor’s information systems handling FCI or CUI. Accurate reporting in SPRS is critical for maintaining contract eligibility.
How Does CMMC Certification Affect the Ability to Win or Renew DoD Contracts?
CMMC certification or self-assessment at the requisite level is critical for contract awards, renewals, and extensions. Contractors who are not compliant will be ineligible for DoD contracts, making early preparation and compliance verification essential.
What Happens If a Contractor Fails to Comply With CMMC Requirements During the Contract Term?
Non-compliance could lead to contract termination, inability to win new contracts, or loss of contract renewals. Maintaining compliance throughout the contract term is essential.
Reporting and Security Measures
What Are the Reporting Requirements for Security Lapses Under CMMC?
Contractors must notify their contracting officer within 72 hours of any lapses in information security or changes in their CMMC certification status. This broad requirement ensures that the DoD is immediately informed of any potential threats or changes in compliance.
Note: The term “lapses” is not clearly defined at this point. Hopefully, it will be made clear in the final, released rule.
How Often Must Contractors Update Their Cybersecurity Practices to Remain Compliant With CMMC?
Contractors must perform annual self-assessments and update their affirmations of compliance annually or whenever significant changes occur in their cybersecurity posture.
Preparing for CMMC Compliance
What Specific Actions Should Contractors Take Now to Prepare for CMMC Compliance?
Begin by determining the CMMC level required for future contracts, conducting self-assessments, and implementing necessary cybersecurity controls. Review subcontractor compliance and update internal policies to align with CMMC requirements.
The Cybersecurity Maturity Model Certification (CMMC) is approaching its final stages as two critical rules—32 CFR Part 170 and 48 CFR Part 252—are nearing publication. With the program’s full implementation expected in late 2024 to early 2025, defense contractors must prepare for the mandatory cybersecurity standards that will soon be linked to Department of Defense (DoD) contracts.
About CORE Vault for NIST CMMC
Everything you need for NIST/CMMC in one cloud-based solution. The CORE Vault CUI Enclave and Consulting Services.
If you contract with the Department of Defense, you require advanced cybersecurity protections. To comply with DFARS, you need to meet the requirements of NIST SP 800-171. Soon, DoD contractors will also need to meet the requirements of Cybersecurity Maturity Model Certification (CMMC 2.0). However most contractors don’t have the resources to overhaul their entire network for compliance. With CORE Vault, you don’t have to.
With CORE Vault, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts.
CORE Vault also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies.
We’ve seen contractors achieve their maximum DoD-required SPRS score in 30 days.
