December 26, 2023, one large step for the Department of Defense and the Defense Industrial Base
Now that the dust has settled (or maybe kicked up even more), the long-anticipated Cybersecurity Maturity Model Certification (CMMC) proposed rule is scheduled to be published on 12/26/2023 and the public comment period will commence for 60 days.
This proposed CMMC rule is the official published document that announces and explains the CMMC, the Department of Defense’s (DoD) plan to strengthen the protection of sensitive information and improve national cybersecurity. The rule provides clarity into what, and when, Defense Industrial Base (DIB) organizations will have to fully comply with the CMMC Requirements. Now in its public comment period, CMMC 2.0 has been long talked about as to its specifics. The release of the rule during the public comment period means anyone can provide feedback to the Office of Management and Budget (OMB) on areas where clarity may be needed (is the language satisfactory?), on items that may be overlooked (are expectations of External Service Providers addressed?), or comment on any other concerns they may have. We anticipate a lot of feedback.
Public comment periods typically range from 30 to 60 days, although the specific duration may vary based on the rule’s complexity or if there’s a valid reason for a shorter period. Assuming no extensions are granted, the CMMC 2.0 public comment period will conclude on February 26, 2024. After this, the OMB will start evaluating all submitted comments, with an expected volume exceeding 800 comments. Following the comment review, the rule will become final, making CMMC enforceable in any contracts affected by the rule.
“This marks a pivotal moment for our national defense. The release of the CMMC proposed rule offers much-needed clarity on various aspects of the long-anticipated CMMC initiative and we expect even more clarity coming from public comments. We’ve patiently awaited this development for over three years, and this announcement signifies the commencement of a vital chapter in our national defense efforts. We are one step closer to CMMC finalization, where together, we can strengthen our nation, and make it more resilient than ever.” said Brian McManamon, President at Redspin, a division of Clearwater.
—
A few of the key takeaways in the public comment version are:
1. Under the new CMMC Program, once the rule is finalized and published the clock starts ticking – and it’s a brisk pace. In just two and a half years, companies must comply with the certification requirements, with intermittent steps that could demand certification even sooner. The details are in Section 170.3.
2. Level 2: The Balancing Act
Level 2 introduces an interesting twist. Its specifics will be determined by the DoD based on the program’s unique needs. This likely means that most companies will opt for a third-party assessment. The sophistication of Level 2 suggests that an external evaluation, be it a formal CMMC Third-Party Assessor Organization (C3PAO) certification or one that ensures the accuracy of the certification in the Supplier Performance Risk System (SPRS), will be necessary – think of it as a safeguard against false claims.
3. Cloud Service Providers and External Service Providers
Cloud Service Providers (CSPs), must meet Federal Risk and Authorization Management Program (FedRAMP) Level 2 or equivalent status. Other External Service Providers (ESPs) must be Level 2 CMMC certified. If the Organization Seeking Assessment (OSA) utilizes an ESP, other than a CSP, the ESP must have a CMMC Level 2 Final Certification Assessment.
4. Conditional Certification: Proceed with Caution
Contractors may receive a conditional certification and subsequently secure a contract award. However, failure to achieve a final certification within 180 days could lead to the revocation of that award. Additionally, security requirements that aren’t met during an assessment by a C3PAO may be revisited under certain circumstances. Some controls don’t allow Plans of Action and Milestones (POA&Ms), emphasizing the need for stringent compliance.
5. Global Reach: International Companies, Same Rules
International companies operating in the defense sector won’t find any exemptions here. They are held to the same rigorous standards as their domestic counterparts, ensuring a level playing field in the global defense market.
6. Dispute Resolution and Accountability
A structured process exists for disputing assessments with C3PAOs, with the option to escalate matters to the Accreditation Body (AB). Additionally, if there’s a dispute regarding a solicitation’s level, it must be addressed with the contracting officer – akin to a pre-award protest.
7. Timing is Everything
Contractors need to be proactive when it comes to assessments. Delays that impact their ability to perform are their responsibility. Leaving enough time to ensure an assessment is conducted and certification is achieved is crucial to avoid disruptions.
8. Recertification and Scope Changes
The new CMMC Program outlines requirements for recertification when there are changes in scope. It’s a reflection of the dynamic nature of cybersecurity – adaptability and compliance go hand in hand.”
9. The Second Chance
Imagine a security requirement that initially falls short, marked as “NOT MET.” It’s not a dead-end; it’s an opportunity for redemption. This second chance arises during the assessment and continues for ten crucial business days after the active assessment period concludes. But what must align for this lifeline to be accessible?
10. Conditions for Re-Evaluation
Additional Evidence: The key to unlocking this opportunity lies in having additional evidence. If you can provide compelling proof that the security requirement has indeed been met, the door to re-evaluation swings open. It’s a chance to showcase your commitment to cybersecurity excellence.
No Compromise: Here’s the catch – the re-evaluation cannot compromise or limit the effectiveness of other requirements that have already been scored as “MET.” It’s about finding the balance between rectifying deficiencies and maintaining the overall strength of your security posture.
In essence, security requirement re-evaluation is a lifeline for those moments when you’ve worked tirelessly to meet a requirement but still come up short. It’s the embodiment of fairness in the world of assessments, allowing you to present additional evidence and regain your footing without jeopardizing the security strides you’ve already made.
—
Additionally, the phased approach of when these items will be showing up in contracts should be of key importance. The reason for this is that under formal CMMC, support organizations identified as External Service Providers (ESPs) will also have to be accounted for by DIB organizations that have to undergo CMMC assessment starting with Level 2. The specifics of what the ESPs will have to do are identified in the updated CMMC v2.1 Scoping Guide Level 2. For some of these organizations, it will be as simple as identifying the shared responsibility. For others, this will mean having to undergo a CMMC assessment themselves. These items should be of particular importance to the DIB and the organizations that support them.
-
- Link to view the Proposed Rule: https://www.regulations.gov/document/DOD-2023-OS-0063-0001
-
- Link to eMASS user guides: https://www.regulations.gov/document/DOD-2023-OS-0097-0002
-
- Link to view posted public comments: https://www.regulations.gov/document/DOD-2023-OS-0063-0001/comment
-
- Link to public comment submission methods and instructions (public comment period ends 02/26/2024): https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program
Stay tuned for more information in the coming days and weeks as we will continue to provide updates and expert analysis of the final CMMC proposed rule, and what it means to you. In the meantime, make sure you register for our upcoming webinar with Matt Travis, CEO of the Cyber AB, and our friends at Cyturus where we will cover all the details LIVE on Janurary 11th.
If you are an organization seeking certification (OSC) because you handle, process, and/or store Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), or if you are an ESP and don’t know if you are required to comply with CMMC, Redspin is here to help! Reach out to us at info@redspin.com or fill out the form below to meet with us.
Book a meeting to get CMMC ready with Redspin: