Another CMMC Proposed Rule Insight As of December 26, 2023

The CMMC program by the Department of Defense has reached a significant milestone with the unveiling of the CMMC Proposed Rule on December 26th, as documented in the Federal Register. This marks the commencement of a 60-day comment period, signaling a major step forward. Anticipated developments suggest that CMMC will likely be incorporated into contracts by the fourth quarter of 2024.

Here are seven essential insights gleaned from the Proposed Rule:

  1. CMMC Finalization: The publication of the proposed rule marks a significant stride towards the implementation of DFARS 252.204-7021 and the establishment of the CMMC program.
  2. DFARS 252.204-7021 Adoption: The Proposed Rule sets the stage for the adoption of DFARS 252.204-7021, emphasizing the imperative for defense contractors to comply with CMMC certification requirements specified in their contracts at the time of award.
  3. Enactment of CMMC: The Proposed Rule lays the groundwork for the full enactment of the CMMC program. This signifies a crucial development in the defense contracting landscape.
  4. Mandatory Certification: DFARS 7021 mandates that all defense contractors attain CMMC certification at the specified level outlined in their contracts. This certification requirement becomes a prerequisite for eligibility for future contracts.
  5. Timely Compliance: Contractors are required to achieve CMMC certification by the time of award, emphasizing the importance of timely compliance with the specified security standards.
  6. Risk of Ineligibility: Failure to obtain CMMC certification jeopardizes a contractor’s eligibility for future contracts, posing potential ramifications for their involvement in defense-related projects.
  7. Contractual Breach Risk: Non-compliance with CMMC certification requirements not only jeopardizes future opportunities but also puts contractors at risk of breaching existing contracts, necessitating adherence to the outlined security measures.

CMMC’s Finalization is Imminent

The unveiling of the proposed rule marks a significant stride towards embracing DFARS 252.204-7021 and implementing the CMMC program. DFARS 7021 mandates that defense contractors attain CMMC certification at the level specified in their contract by the time of award. Non-compliance with this certification requirement not only renders contractors ineligible for future contracts but also puts them at risk of breaching existing contractual obligations. The proposed rule serves as a crucial catalyst for ushering in these vital changes in the defense contracting landscape.

Critical Alignment: CMMC Level 2 Security Controls and NIST 800-171 R2 Requirements for Defense Contractors

CMMC Level 2’s security controls closely align with the 110 controls outlined in NIST SP 800-171 R2, a requirement that has been in place for several years.  For defense contractors entrusted with handling Controlled Unclassified Information (CUI), attaining a minimum of CMMC Level 2 is imperative to maintain eligibility for ongoing work with the Department of Defense (DoD) or any prime contractor positioned within the defense supply chain. Additionally, adherence to NIST 800-171 R2, rather than Revision 3, is mandatory for these contractors. This underscores the critical importance of aligning with the specified security protocols to ensure continued participation in defense-related projects.

C3PAOs’ Crucial Role in CMMC Level 2 Certification: Safeguarding Organizations and Controlled Unclassified Information (CUI)

The certification process for CMMC Level 2 is set to involve accredited C3PAOs (CMMC Third Party Assessment Organizations) assessing approximately 95% of organizations seeking certification every three years. According to DoD estimates, a substantial 95% of organizations responsible for managing Controlled Unclassified Information (CUI) will require C3PAO certification. The Federal Register highlights the scale of this requirement, indicating that over 76,000 companies will undergo CMMC Level 2 certification assessments, contrasting with the comparatively limited number of 4,000 companies eligible for self-assessment. This underscores the significant role C3PAOs will play in ensuring the compliance and security of organizations within the CMMC framework.

From the Federal Register

Navigating CMMC Certification: Understanding POA&Ms, Scoring Requirements, and Timely Security Measures

Under specific circumstances, organizations will be allowed to implement Plans of Action and Milestones (POA&Ms). Attaining a flawless score of 110/110 on their NIST SP 800-171 assessment is not a mandatory requirement for entities seeking CMMC certification. However, a minimum score of 80%, equivalent to 88 out of 110, is necessary.

Exceptions are minimal, with only 1-point controls eligible for POA&Ms, and not all 1-point controls fall within this category. Higher-weighted 3-point and 5-point security controls, for the most part, cannot be addressed through POA&Ms. Furthermore, organizations are obliged to rectify all security gaps identified within 180 days of the initial assessment, emphasizing the imperative for timely and comprehensive security measures.

Smooth Transition: Converting High-Scoring JSVA Results to CMMC Level 2 Certification

Results from Joint Surveillance Voluntary Assessments (JSVA) scoring 110/110 will seamlessly transition to CMMC Level 2 certification. Both JSVA and DIBCAC High Assessments have the potential to be converted into CMMC Level 2 certificates, provided that the JSVA score is flawless and free of any outstanding Plan of Action and Milestones (POAMs). The direct transferability underscores the alignment and recognition of high-performance security assessments in the journey towards CMMC Level 2 certification.

Encryption for CMMC Level 2: Ensuring FIPS Compliance in Defense Contractor and CSP Partnerships

In the pursuit of CMMC Level 2 certification and safeguarding Controlled Unclassified Information (CUI), it is imperative for defense contractors and their associated Cloud Service Providers (CSPs) to employ encryption. However, it is crucial that a FIPS (Federal Information Processing Standards) validated cryptographic module is utilized in both instances. To ensure compliance, inquire with your CSP about their FIPS 140-2 certification. If they are unable to furnish this documentation, it implies that their software cannot be utilized for achieving CMMC Level 2 certification.

Ensuring Cybersecurity Compliance: The Impact of CMMC Proposed Rule on Commercial Email Systems and Cloud Service Providers

The CMMC Proposed Rule affirms the continuity of DFARS 252.204-7012 (c)-(g), implying that commercial email systems such as Microsoft’s O365 Commercial do not meet compliance standards. DFARS 252.204-7012 (c)-(g) outlines cyber incident reporting requirements. Therefore, organizations utilizing Cloud Service Providers should request attestation from their CSPs confirming adherence to these stipulations. This ensures alignment with the specified cybersecurity reporting standards outlined in DFARS.

Navigating the CMMC Proposed Rule: Comment Period, DoD Review, and the Road to Full Implementation

The CMMC proposed rule initiated a 60-day comment period on December 26th, starting with its publication in the Federal Register.

Upon the conclusion of the comment period on February 26, 2024, the Department of Defense (DoD) will review and address all pertinent comments. This comprehensive process is anticipated to span 12-18 months.  You should expect an updated publication of the Final Rule in late 2024.

Following the incorporation of CMMC into DFARS, contractors might be obligated to attain CMMC certification before being awarded contracts. The full implementation of CMMC is scheduled to occur gradually over a 3-year period.

Submit Your Comments on the Proposed Rule

This is a crucial way to directly impact the development of the CMMC program.  The Department of Defense (DoD) is legally obligated to take your comments into consideration and provide responses. By actively participating in the comment period, you contribute to the public discourse surrounding the CMMC program.  You can play a role in shaping its final form.

The deadline to participate in this process is February 26, 2024. Here are some steps you may find helpful:

  1. Visit the Federal Register Website: Go to the official Federal Register website where the Proposed Rule is published.
  2. Locate the Proposed Rule: Find the specific entry or document related to the CMMC Proposed Rule. This information will be available in the Federal Register under the relevant section or agency.
  3. Read the Instructions: Carefully read any instructions or guidelines provided for submitting comments. This information will guide you on the preferred format, content, and any specific details required in your comment.
  4. Prepare Your Comments: Draft your comments in a clear and concise manner. Clearly articulate your perspectives, concerns, or suggestions related to the CMMC program. Provide any supporting evidence or reasoning that strengthens your points.
  5. Submission Method: Identify the preferred method of submission, which could include online forms, email, or traditional mail. Follow the specified instructions for submitting your comments. Be sure to include all required information, such as your name and contact details.
  6. Submit Before the Deadline of February 26, 2024: Ensure that you submit your comments on or before the specified deadline.  If you submit comments after this date, it might not be considered.
  7. Confirmation: If applicable, look for a confirmation of your submission. Some platforms provide confirmation emails or receipts, acknowledging that your comments have been successfully received.

Achieve CMMC and DFARS Compliance with Intech Hawaii’s Cost-Effective Solutions

Intech Hawaii stands out as the premier and cost-effective service provider designed to support businesses in managing Controlled Unclassified Information (CUI), a vital requirement for federal government collaborations. The CMMC accreditation body mandates consistent adherence to DFARS requirements, regardless of the specific CMMC certification level.

For Intech Hawaii, this solution serves as an economical and practical CUI risk management tool for their supply chain. Subcontractors within the company can also utilize Intech Hawaii to align with DFARS, streamlining the transition to CMMC certification in less time and at a fraction of the cost compared to handling the process independently.