In March 2023, we covered the ABCs of CMMC in our blog, “CMMC Breakdown.” Then, in December, we shared the update that the CMMC 2.0 final rule was approaching, as CMMC 2.0 had entered the 60-day public comment period. So, where do we stand today regarding CMMC 2.0 and the CMMC 2.0 final rule? And, more importantly, where does your organization stand in its preparation for obtaining certification?
An April 2024 Update on the CMMC 2.0 Final Rule
On December 26, 2023, the DoD issued the long-awaited proposed final rule for the CMMC 2.0 Program. This milestone also launched a 60-day public comment period running through February 26, 2024.
Key updates to the CMMC proposed final rule released include some exciting developments. Below, we take a look at just a few of them. As you review, consider whether your business is ready for CMMC 2.0 certification.
- CMMC 2.0 will have a phased rollout: The proposed rule for CMMC 2.0 indicates a four-phase approach to rollout occurring over 30 months. Particularly noteworthy is that assessment requirements per phase also are included for existing contracts during option years.
- CMMC 2.0 for Scoping External Service Providers (ESPs): External Service Providers (ESPs) used by defense contractors must meet an equivalent CMMC level to maintain certification. ESPs within the scope of this requirement are defined as vendors handling security-related data or CUI on their own assets. The rule’s definition excludes organizations solely utilizing the original defense contractor’s infrastructure.
- CMMC 2.0 for Scoping Cloud Service Providers (CSPs): CSPs are defined as a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) available as software-as-a-service, infrastructure-as-a-service, and platform-as-a-service offerings. For CMMC 2.0 requirements, CSPs without FedRAMP authorized services at the Moderate or High baselines must achieve 100% compliance through an assessment by a FedRAMP recognized Third Party Assessment Organization (3PAO). Both ESPs and CSPs require a Customer Responsibility Matrix (CRM) delineating their responsibilities, customer-owned responsibilities, and shared responsibilities regarding the in-scope CMMC requirements.
- New Plans of Action and Milestones (POA&Ms) Requirements (link to new blog post here): The proposed rule also announced that select time-limited POA&Ms will now be permitted. Under the published rule, a conditional certification may be issued with POA&Ms under certain conditions, which we cover in our blog “TITLE” here (link to new blog post here). For most organizations seeking CMMC L2 and all seeking L3, a Conditional Certification may be obtained when a minimum score of 80% has been achieved with permissible POA&Ms. That Conditional Certification moves to a Final Certification once all POA&Ms have been closed and validated with a POA&M Closeout Assessment. POA&M items are required to be closed out within 180 days.
- New Annual Affirmation Requirements: For CMMC L1 and L2, annual affirmations are now required for certification. Misrepresentation of compliance discovered in these affirmations creates additional risk of liability in accordance with the False Claims Act.
So, are you ready for CMMC 2.0? If not, the time to prepare is now.
As we’ve covered, the Department of Defense (DoD) considers your cybersecurity processes foundational to winning contracts, and they enforce this through the Cybersecurity Maturity Model Certification (CMMC). Achieving CMMC compliance involves more than just adding new security functions to your business’s network; it also requires implementing a series of specific cultural behaviors, policies, and practices within your organization.
As you delve into the details of the latest CMMC 2.0 Final Rule and find yourself in need of clarification or expert guidance, our team at Alluvionic is ready to provide support every step of the way. Reach out to us at Alluvionic.com.
