The Department of Defense (DoD) has released the newest version of the ‘Proposed Rule’ for Cybersecurity Maturity Model Certification (CMMC) on December 26, 2023. This is the third revision of the rule since it was first introduced in September 2020. The rule aims to enhance the protection of sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), within the Defense Industrial Base (DIB).
The rule also comes with a dozen or so supporting guidance documents, such as the CMMC Assessment Guide, the CMMC Scoping Guide, and the CMMC Cloud Computing Security Requirements Guide. These documents provide more details on how to implement and assess the CMMC requirements across the three levels of maturity.
The DoD is inviting all members of the public to submit comments on the rule and the guidance documents at https://www.regulations.gov/document/DOD-2023-OS-0063-0001 through February 25. This is an opportunity for the DIB community to provide feedback and suggestions on how to improve the rule and the CMMC framework.
What are the main changes in the latest CMMC Proposed Rule?
The latest CMMC Proposed Rule has several changes from the previous versions. Here are some of the key points current DIB contractors and subcontractors should be aware of:
- The rule continues to emphasize that CMMC enables verification of security required by Defense Federal Acquisition Regulation Supplement (DFARS) 7012 since 2017. This clause requires contractors to implement the security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, as well as to report any cyber incidents to the DoD.
- The rule continues to emphasize that the security mandates are not reimbursable expenses, while acknowledging that companies will reflect the expenses in their pricing models. This means that contractors will have to bear the costs of implementing and maintaining the CMMC requirements, as well as paying for the CMMC assessments by certified third-party assessment organizations (C3PAOs).
- The rule does not have a set timeline for starting the CMMC implementation, but does have a phased approach over three years to change language inserted into future contracts. The rule states that the DoD will select a subset of contracts each year to include the CMMC requirements, based on factors such as criticality, risk, and impact. The rule also states that the DoD will publish a list of contracts that will require CMMC certification at least six months before the solicitation is issued.
- The rule does not indicate that the CMMC requirements will be retroactively applied to existing contracts and existing option periods described in those contracts. This means that contractors who are currently performing under contracts that do not include the CMMC requirements will not have to obtain CMMC certification until they compete for new contracts or renew existing contracts that include the CMMC requirements.
- The rule mandates some assessment records retention requirements not previously seen. The rule requires contractors to retain the CMMC assessment reports and supporting evidence for at least six years from the date of the assessment. The rule also requires C3PAOs to retain the same information for at least 10 years from the date of the assessment. The rule states that the DoD may request access to these records for audit or oversight purposes.
- The rule includes discussion of company’s use of Cloud Service Providers (CSPs) and External Service Providers (ESPs). The rule defines CSPs as entities that provide cloud computing services, such as infrastructure, platform, or software as a service. The rule defines ESPs as entities that provide external information system services, such as internet service providers, managed security service providers, or data center operators. The rule states that contractors who use CSPs or ESPs to store, process, or transmit CUI or FCI must ensure that the CSPs or ESPs meet the same CMMC level as the contractor. The rule also states that contractors must obtain written consent from the DoD before using CSPs or ESPs to store, process, or transmit CUI or FCI.
- The rule does not make it crystal clear what is or is not CUI or FCI. It refers readers to the National Archives and Records Administration (NARA) and to the Code of Federal Regulations (CFR) to read definitions. CUI is defined as information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified. FCI is defined as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
What are the next steps for DIB contractors and subcontractors?
The latest CMMC Proposed Rule is not the final version, and it may change based on the public comments and feedback. However, it is likely that the rule will be finalized and implemented in the near future, as the DoD has stated its commitment to enhancing the cybersecurity posture of the DIB.
Therefore, DIB contractors and subcontractors should take proactive steps to prepare for the CMMC requirements, such as:
- Reviewing the CMMC Proposed Rule and the guidance documents, and submitting comments if they have any concerns or suggestions.
- Determining the CMMC level that they will need to achieve, based on the type and sensitivity of the information that they handle or generate for the DoD.
- Assessing their current cybersecurity maturity and identifying any gaps or weaknesses that need to be addressed.
- Implementing the CMMC practices and processes that correspond to their desired CMMC level, and documenting the evidence of their implementation.
- Selecting a C3PAO from the CMMC Accreditation Body (CMMC-AB) marketplace, and scheduling a CMMC assessment.
- Obtaining and maintaining the CMMC certification, and ensuring that it is valid and current.
The CMMC is a significant change for the DIB community, and it will require time, effort, and resources to comply with. However, it is also an opportunity for the DIB contractors and subcontractors to demonstrate their commitment to protecting the DoD’s sensitive information, and to gain a competitive edge in the defense market. Planet Technologies is here to help you with any questions or queries that you may have about the CMMC.