The General Overview and Current Status of CMMC
32 CFR Part 170 (The CMMC Program Rule)
This rule has been finalized and published. It officially establishes the Cybersecurity Maturity Model Certification (CMMC) Program. The rule is effective 60 days after publication in the Federal Register, which means the program will take effect by December 2024.
With the first rule published and the second following soon after, contractors across the Defense Industrial Base (DIB) must prepare for the official implementation of CMMC requirements.
These rules not only establish the framework for protecting sensitive information but also embed cybersecurity standards into defense contracts, making compliance essential for securing and renewing Department of Defense (DoD) contracts.
This article provides a comprehensive overview and the current status of the CMMC program, its certification levels, and the steps contractors should take now to ensure they are ready for the upcoming changes.
Where Does the Final Release of the CMMC Program Stand, and When Is It Expected to Be Released?
The CMMC Program Is Governed by Two Key Rules:
32 CFR Part 170 (The CMMC Program Rule)
This rule has been finalized and published. It officially establishes the Cybersecurity Maturity Model Certification (CMMC) Program. The rule is effective 60 days after publication in the Federal Register, which means the program will likely take effect by mid-to-late December 2024.
48 CFR Part 252 (CMMC Contract Rule or DFARS Rule)
This rule is currently in the public comment period, which will end on October 15, 2024. After the comment period, the feedback will be reviewed, and the final rule will be prepared for publication. The publication of this rule will officially link CMMC requirements to defense contracts.
What are 32 CFR and 48 CFR, and Why are They Important to the Launch of CMMC?
“The Program Rule”:
32 CFR Part 170 outlines the Cybersecurity Maturity Model Certification (CMMC) framework. It sets the cybersecurity standards that defense contractors must follow to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
“The Contract Rule”:
48 CFR Part 252 is the Defense Federal Acquisition Regulation Supplement (DFARS) that integrates CMMC requirements into defense contracts. It specifies the mandatory CMMC compliance clauses (e.g., DFARS 252.204-7021) for all relevant DoD contracts.
Importance to CMMC Launch:
Legal and Contractual Framework:
These regulations provide the legal basis to enforce CMMC standards across the Defense Industrial Base (DIB).
Cybersecurity Compliance:
They mandate that contractors meet CMMC requirements to handle sensitive information securely, safeguarding national security.
Implementation and Oversight:
Both regulations guide the phased rollout of CMMC and establish reporting requirements, ensuring ongoing compliance and accountability.
Together, 32 CFR and 48 CFR are essential for making CMMC a mandatory and enforceable part of defense contracting, ensuring that all contractors adhere to standardized cybersecurity practices.
When Are CMMC Requirements Expected to Be Added to Defense Contracts?
CMMC requirements will be phased in over four stages, with self-assessments being required first, followed by third-party assessments, and full implementation expected in Phase 4. By the end of the phase-in period, all contractors handling FCI or CUI will be required to have the appropriate CMMC certification.
By the end of three years, all contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will be required to have the appropriate CMMC certification.
Can a Contractor Be CMMC Certified Without a Third-Party Assessment?
For CMMC Level 1, an annual self-assessment is sufficient. However, Level 2 typically requires a third-party assessment every three years to verify compliance with NIST SP 800-171 controls.
What Is the Role of a Third-Party Assessor, and How Do They Fit Into the CMMC Certification Process?
Certified Third-Party Assessment Organizations (C3PAOs) conduct independent assessments to verify a contractor’s compliance with CMMC Level 2 requirements. Their certification is a prerequisite for contractors to be eligible for certain DoD contracts.
Core Business Solutions can recommend C3PAO’s who are focused on small business.
Compliance Obligations and Flow-Down Requirements
How Does Flow-Down Work, and Who Does It Affect?
Flow-down requirements now mandate that all subcontractors and suppliers handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must comply with CMMC standards. Prime contractors are responsible for ensuring their subcontractors meet the necessary CMMC levels, and this compliance must be reaffirmed annually.
Prime contractors must verify that their subcontractors and suppliers are maintaining the required CMMC levels and submit annual affirmations of compliance, especially for those handling FCI and CUI. Non-compliant subcontractors can impact the prime contractor’s eligibility for DoD contracts.
What Are Annual Affirmations of Compliance, and Why Are They Important?
Contractors must submit an annual affirmation of continuous compliance with CMMC security requirements. This affirmation must be validated in the Supplier Performance Risk System (SPRS) using a DoD Unique Identifier (UID). These affirmations ensure that contractors are consistently meeting their cybersecurity obligations.
How Will the Supplier Performance Risk System (SPRS) Be Used in the CMMC Process?
SPRS will be used to report compliance status, store affirmation of compliance, and track unique identifiers for each contractor’s information systems handling FCI or CUI. Accurate reporting in SPRS is critical for maintaining contract eligibility.
How Does CMMC Certification Affect the Ability to Win or Renew DoD Contracts?
CMMC certification or self-assessment at the requisite level is critical for contract awards, renewals, and extensions. Contractors who are not compliant will be ineligible for DoD contracts, making early preparation and compliance verification essential.
What Happens If a Contractor Fails to Comply With CMMC Requirements During the Contract Term?
Non-compliance could lead to contract termination, inability to win new contracts, or loss of contract renewals. Maintaining compliance throughout the contract term is essential.
Reporting and Security Measures
What Are the Reporting Requirements for Security Lapses Under CMMC?
Contractors must notify their contracting officer within 72 hours of any lapses in information security or changes in their CMMC certification status. This broad requirement ensures that the DoD is immediately informed of any potential threats or changes in compliance.
Note: The term “lapses” is not clearly defined at this point. Hopefully, it will be made clear in the final, released rule.
How Often Must Contractors Update Their Cybersecurity Practices to Remain Compliant With CMMC?
Contractors must perform annual self-assessments and update their affirmations of compliance annually or whenever significant changes occur in their cybersecurity posture.
Preparing for CMMC Compliance
What Specific Actions Should Contractors Take Now to Prepare for CMMC Compliance?
Begin by determining the CMMC level required for future contracts, conducting self-assessments, and implementing necessary cybersecurity controls. Review subcontractor compliance and update internal policies to align with CMMC requirements.
32 CFR Part 170 (The CMMC Program Rule)
This rule has been finalized and published. It officially establishes the Cybersecurity Maturity Model Certification (CMMC) Program. The rule is effective 60 days after publication in the Federal Register, which means the program will likely take effect by mid-to-late December 2024.
About CORE Vault for NIST CMMC
Everything you need for NIST/CMMC in one cloud-based solution. The CORE Vault CUI Enclave and Consulting Services.
If you contract with the Department of Defense, you require advanced cybersecurity protections. To comply with DFARS, you need to meet the requirements of NIST SP 800-171. Soon, DoD contractors will also need to meet the requirements of Cybersecurity Maturity Model Certification (CMMC 2.0). However most contractors don’t have the resources to overhaul their entire network for compliance. With CORE Vault, you don’t have to.
With CORE Vault, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts.
CORE Vault also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies.
We’ve seen contractors achieve their maximum DoD-required SPRS score in 30 days.
Core Business Solutions, established in 2000, is a Registered Practitioner Organization through the Cyber AB and has been providing consulting and technical solutions for NIST/CMMC for over 5 years. Rick Krick is the Director of Security Solutions for Core Business Solutions and directs our Cybersecurity Services solutions including CMMC. Rick has over 25 years of experience in Management System implementations, software development, IT services, and certifications.
