Alert
DoD Releases Cybersecurity Maturity Model Certification (CMMC) Program
The Department of Defense (DoD) issued the final Cybersecurity Maturity Model Certification (CMMC) rule in the defense security program into the Federal Register on October 15, 2024.
CMMC was established to verify that contractors have implemented required security controls to protect federal contract information (FCI) and controlled unclassified information (CUI).
Two important parts of the CMMC Rule are: 32 CFR Part 170, which describes the program in detail, and 48 CFR, which discusses how CMMC requirements are to be included in solicitations.
Who Is Affected by the New Guidance?
The three-tiered CMMC model provides the DoD with elevated assurance that contractors and subcontractors are meeting cybersecurity requirements for nonfederal systems processing CUI. The rule, which takes effect, December 16, 2024, provides assessments at three levels, described below.
Level 1 Requirements: Basic Safeguarding of FCI
This model applies to DoD contractors who handle FCI but not CUI and requires an annual self-assessment and annual affirmation of compliance with 15 security requirements in the Federal Acquisition Regulation (FAR) clause 52.204-21.
Level 2 Requirements: Broad Protection of CUI
This model applies to DoD contractors who handle CUI and requires alignment with 110 controls from NIST SP 800-171 r2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Additionally, a CMMC third-party assessment organization (C3PAO) assessment or a self-assessment for selected programs is required every three years. The type of assessment will be determined based on the type of information stored, processed, or transmitted on the contractor or subcontractor information systems. Annual affirmations are also required.
Level 3 Requirements: Higher-Level Protection of CUI Against Advanced Persistent Threats
Level 3 applies to DoD contractors working on extra sensitive projects who must protect CUI against risk from advanced persistent threats (APTs) and requires attaining a final CMMC Level 2 status through a triennial assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
There’s also a required annual affirmation to verify compliance against the 24 controls in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
Background on New Guidance
CMMC has been floating through the halls of Congress and the Pentagon since 2010, thanks to Executive Order 13556, Controlled Unclassified Information and has been through multiple versions and changes during the past 14 years.
Timing
The CMMC rule takes effect December 16, 2024.
Next Steps
With CMMC finalized, contractors and subcontractors can begin, with certainty, to address implementing these security requirements to be awarded DoD contracts and subcontracts.
Additionally, if you intend to implement this framework, or provide advisory or assessment services, consider your executive champion, how much funding and how many human resources you’ll need depending on the current state of your business.
Implementing a new security framework takes a significant amount of planning and strategy, even before the implementation.
We’re Here to Help
For more information on the CMMC final rule and potential impacts on your business, contact your Moss Adams professional.