Exciting CMMC 2.0 Final Rule Updates: What You Need to Know

After much anticipation, the Department of Defense has officially published the final rule for Cybersecurity Maturity Model Certification (CMMC) 2.0, found in 32 CFR. The changes represent major wins for the Defense Industrial Base (DIB), particularly for contractors and External Service Providers (ESPs). Here are some key highlights that will have a significant impact:

Highlights:

CMMC Status and Certification: Instead of certifying the organization, the DoD has clarified that the assessed network within the OSC’s assessment scope receives a Certificate of CMMC Status, a nuanced but important shift.
POA&M Closeout Flexibility: The final rule allows some flexibility in the closeout of security requirements that are not on the Plan of Action and Milestones (POA&M). Decisions on this will now be made between the OSC and their C3PAO, potentially allowing for 5-point NOT MET items to be closed out without triggering a new assessment.
ESP / CSP Impacts Clarified: External Service Providers (ESPs, including Cloud Service Providers (CSPs)that DO NOT process, store, or transmit Controlled Unclassified Information (CUI), do not require their own CMMC assessment. Instead, their services are assessed as Security Protection Assets (SPAs) during the prime contractor’s assessment. This change aligns with DIBCAC precedent and ensures that most contractors can realistically meet certification standards without being overburdened.
Furthermore, the assessment of SPAs has been refined. Now, these assets are evaluated based on the specific Level 2 security requirements they support, rather than the full range of controls, simplifying the process and reducing the cost.
Managed Service Providers (MSPs) no longer need to achieve their own Level 2 CMMC certification for clients to pass. Instead, any server or service they provide will be assessed as part of the client’s CMMC evaluation, verifying that each security function performs as required. For those seeking to avoid reassessment with each client, MSPs have the option to pursue their own certification.
Security Protection Data (SPD): The new definition of Security Protection Data (SPD) includes crucial data such as configuration information, log files, vulnerability data, and passwords that grant access to an in-scope environment. This newly defined term simplifies understanding of the kind of data that’s critical for protecting an OSC’s environment.
Joint Surveillance Validity: Companies that complete Joint Surveillance Assessments (JSVAs)** with perfect scores of ‘110’ will now earn CMMC Level 2 without additional hurdles—another significant improvement.

Phased Rollout of CMMC 2.0:

The final rule sets clear phases for implementation:

Phase 1: First 12 months for Level 1 and Level 2 self-assessments.
Phase 2: Month 13-24: Level 2 Certification Assessments for new contracts.
Phase 3: Month 25-36: Level 2 Certification for option periods and Level 3 Certification for all applicable contracts.
Phase 4: Full implementation after 36 months, where CMMC will be required for all DoD contracts.

What’s Next?

The official publish date is October 15, 2024, with the rule taking effect on December 14, 2024. Companies will need to adjust quickly, particularly with artifact retention requirements*now mandatory for both Level 1 and Level 2 self-assessments.

For contractors and MSPs, this is the time to review your Shared Responsibility Matrix and start aligning with NIST SP 800-171 rev2 requirements. CMMC is finally here—ensure your business is ready!

If you’re unsure where to start or need expert guidance to ensure you’re on the path to becoming CMMC compliant, contact us today. Our tailored, supportive approach will ensure your business is prepared — without the headache.