The CMMC Proposed Rule Published… Now What?

CMMC Proposed RuleRedspin Blog

The Department of Defense (DoD) and its contractors are prime targets for cyberattacks. In fact, the U.S. government loses more than $600 billion annually due to cyber theft of intellectual property tied to federal contract information (FCI) and controlled unclassified information (CUI). And, unfortunately, cybersecurity risks for the Defense Industrial Base (DIB) supply chain are not decreasing, even as federal agencies, contractors, and subcontractors improve their cyber hygiene practices. 


The DoD hopes its latest Cybersecurity Maturity Model Certification (CMMC) proposed rule, which is open for review and public comment until Feb. 26, will close some of these gaps, further enhancing security and privacy for sensitive federal data.  

Ransomware attacks on the Defense Industrial Base (DIB) have surged by 95% within the last year.

– The DoD Inspector General’s Office

CMMC Expansion and Growth from CMMC 1.0 to 2.0 

CMMC security standards guide organizations on how to protect and manage CUI and FCI. The standards apply to all contractors and subcontractors bidding on or renewing DoD contracts that handle store, and/or transmit CUI/FCI.  


Following the initial release of CMMC standards in 2020 (CMMC 1.0), the DoD set compliance deadlines for 2025, but there were concerns about the requirements, particularly regarding implementation and assessment costs. As a result, the DoD initiated the process to modify and update CMMC, which, when finalized, will be CMMC 2.0. The 2.0 version of CMMC of was published as a proposed rule (32 CFR) on December 26, 2023. 


The changes indicated in the proposed rule address concerns about: 

  • Direct/indirect costs related to achieving and maintaining compliance  
  • Initial investments 
  • Infrastructure changes 
  • Incident response and reporting 
  • Governance and training 
  • Fees related to assessments and certifications 


The proposed rule also introduces DoD spot checks to validate an organization seeking certification (OSC) self-assessment score. Any inaccurate or misleading SPRS scores could result in substantial False Claims Act penalties and/or civil or criminal charges.  


Some of these changes could also spur CMMC adoption by other federal agencies such as the Department of Education, NASA, Department of Home Affairs (DHA), Department of Health and Human Services (HHS), Homeland Security, Department of Justice (DOJ), Department of Energy, Department of State, and the U.S. Treasury Department. 


Canada recently announced a CMMC reciprocity program, the Canadian Program for Cyber Security Certification (CPCSC). According to the Canadian Commercial Corporation (CCC), “the goal is to streamline and facilitate certification under a single regime, enabling Canadian suppliers to do business in Canada and the U.S.” 


The Cyber-AB, the only authorized DoD accreditation body and certification partner for CMMC, has announced that DoD is in discussions for similar reciprocity with Germany, France, Austria, Australia, Japan, and South Korea. 


Validated Compliance 

Before the DoD developed CMMC, FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems – a supplement to the initial FAR regulations, the Defense Federal Acquisition Regulation (DFARS) 252.204-7012 – directed FCI and CUI privacy, security, and use practices. At that time, contractors and subcontractors could self-attest to DFARs requirements by submitting an annual  (SPRS) score to DoD, but contractors had different assessment approaches, which led to inaccurate, ineffective SPRS scores. Supplier Performance Risk System (SPRS) score to DoD, but contractors had different assessment approaches, which led to inaccurate, ineffective SPRS scores.  


The DoD developed CMMC to standardize these assessment processes. CMMC 1.0 had five assessment Levels. The proposed rule (CMMC 2.0) changes reduce this down to three Levels including a self-assessment, a Certified 3rd Party Assessment Organization (C3PAO) assessment, and a government-led assessment to validate cybersecurity compliance and build a shared understanding.  

  • CMMC Level 1: Basic FCI safeguarding. 
  • CMMC Level 2: General CUI protection with distinctions between self-assessments and certification assessments. 
  • CMMC Level 3: A higher level of protection against advanced persistent threats (APT), with specific requirements derived from NIST SP 800-171 and NIST SP 800-172. 


Which level an organization must be certified depends on the data they store, handle, and/or transmit and will be included in DoD requests for information (RFIs) and requests for proposals (RFPs). The type and sensitivity of FCI and CUI will determine the appropriate attestation level.  


More Flexibility 

The proposed rule introduces flexibility through remediation, plans of action and milestones (POA&Ms), and dispute resolution: 

  • Remediation enables an OSC (i.e. contractors and subcontractors) to address minor practice deficiencies within five days of an assessment close-out. 
  • POA&Ms allow an OSC an opportunity to remediate more complex deficiencies through a formal oversight process within 180 days of close-out, resulting in a conditional certification until the OSC remediates all issues.  
  • Dispute resolution is a formal mechanism for OSCs to address issues with the conduct or results of their assessment. 


Phased Implementation and Contractor Requirements 

So, what does publication of the CMMC proposed rule mean for contractors, and when is the deadline? 


Once the public comment period closes on February 26th, 2024, if no extensions are granted, the public comments will go to the Office of Management and Budget (OMB) for review and adjudication. When the review is complete, the rule becomes final.  


The DoD will implement the rule in four phases, gradually increasing requirements and the number of contracts that include CMMC assessment stipulations. We expect CMMC acquisition requirements for Levels 1, 2, and 3 will be included in all solicitations starting late 2024.  


Even so, all contractors and subcontractors that process, store, and/or transmit CUI/FCI on contractor information systems, including commercial item contracts, except commercially available off-the-shelf (COTS), should be in immediate compliance.  


Most contractors will likely need CMMC certification at least at Level 2. While some exceptions allow self-attestation for Level 2, a majority will need to demonstrate compliance through an external third-party assessment, and for Level 3 and more sensitive CUI, government-led assessments, depending on contract requirements. 


An increasing number of contractors and subcontractors now delegate IT and cybersecurity tasks to External Service Providers and managed cloud service providers (CSPs). It’s worth noting that if a contractor plans to use a CSP to store, process, and/or transmit any covered defense information as part of a DoD contract, the contractor must require and ensure that the CSP meets security requirements equivalent to Federal Risk and Authorization Management Program (FedRAMP) Moderate or FedRAMP High. Other ESPs must be at the same CMMC Level as the contractor.  


Ensuring CMMC Compliance 

While the official compliance mandate is still in the future, now is the time to move forward with your CMMC assessment and ensure you’re meeting NIST SP 800-171 standards, which align with CMMC requirements. 


If you want to bid on or renew contracts at Level 2 or Level 3, you’ll need a third-party assessment before bidding on contracts with these requirements. A C3PAO must conduct the CMMC assessment for Level 2 and can help your organization prepare for a government-led Level 3 assessment.  


If you partner with Redspin — the industry’s first Authorized C3PAO with Level 2 certification who has already conducted over 30% of Joint Surveillance Assessments (JSVAs), an early adopter program to CMMC — the process for CMMC certification generally takes about four weeks and aligns with CMMC 2.0 Level 2 as: 

  • Phase 1, objective evidence review: Usually takes about a week. 
  • Phase 2, the interview phase with all key stakeholders: Generally takes a week.  
  • Phase 3, report writing: If you’ve met all CMMC requirements, the C3PAO will issue an attestation letter for certification and submit the required documentation to DoD. 
  • Phase 4, final assessment: If you did not pass the assessment at Phase 3, you’ll have 180 days to remediate issues in your POA&M. When complete, the assessor will do a final assessment. If you’ve rectified all issues and pass the assessment, you will earn your CMMC compliance certification. 


After certification, you must maintain compliance and re-affirm it every year. Re-certification is mandated every three years. 


If you’re ready to move forward with an assessment before the rule is finalized, you may choose to participate in the Joint Surveillance Voluntary Assessment Program (JSVAP). A JSVAP assessment will evaluate your NIST 800-171 practices. If you meet the requirements, you will receive a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Certificate that will later be replaced by a CMMC Certificate when the rule is effective. 


 A C3PAO with cybersecurity and IT expertise like Redspin can also help with: 

  • Building or managing your secure environment 
  • Reviewing and providing feedback on all CMMC evidence and documentation   
  • Reviewing security controls to ensure they operate as designed 
  • Conducting a cybersecurity program gap analysis 
  • If there are gaps, the C3PAO will issue findings for your POA&M 
  • Providing assistance with remediation 
  • Educating and training your staff on CMMC requirements 




Book a meeting to start your CMMC journey by filling out the form below