CMMC Proposed Rule Changes Are Here
How defense contractors can prepare for CMMC compliance now
The long-awaited notice of proposed rulemaking for the Cybersecurity Maturity Model Certification (CMMC) program — an assessment standard for U.S. Department of Defense (DoD) contractors and subcontractors — is finally here.
Originally introduced in 2019, the CMMC program was designed to ensure that members of the Defense Industrial Base (DIB) secure their information systems in a manner that protects sensitive DoD information. The DIB consists of organizations ranging from large publicly traded companies to research programs at higher education institutions as well as small and medium-sized businesses, all with a range of cybersecurity resources at their disposal — making a single set of cybersecurity requirements for all challenging.
The Changes, Explained
The 234-page proposed rule revealed some key changes from the previous iteration of the CMMC evaluation criteria to address feedback from defense programs and their contractors.
There are five key changes outlined in the proposed rule:
- Self-attestation can be used with 2 of 3 CMMC levels. Level 1 companies (i.e. those who only have Federal Contract Information (FCI) in their possession) and 5% of Level 2 companies (i.e. those who have Controlled Unclassified Information (CUI) in their possession) may use self-assessments for compliance. Eligibility for Level 2 companies that can perform self-assessments has not been fully defined but will be based on CUI sensitivity. Other Level 2 organizations must have a Certification Assessment conducted by an authorized third-party assessment organization (C3PAO) every three years for compliance. All Level 3 companies must still have triennial assessments conducted by the Defense Industrial Base Cybersecurity (DIBCAC) team and annual affirmations of continued compliance will be required.
- There is a phased rollout of the program over 2.5 years. The CMMC program update was released as a proposed, not interim, final rule. This means the proposal will return to the rulemaking process after a 60-day public comment window, which is expected to take 9-12 months. There is still a long road ahead to finalizing the rule before the clock starts on the proposed 4-phase implementation process.
- The integration of NIST 800-171 Revision 3 and CMMC is likely years away. It seems increasingly likely that National Institute of Standards and Technology (NIST) 800-171 r3 will not be incorporated into the CMMC framework anytime soon. While Defense Federal Acquisition Regulation Supplement (DFARS) 7012 refers to the “Current Version” of the NIST 800-171 document, the proposed CMMC rule specifically identifies revision 2 as the current framework. A shift to revision 3 would therefore require significant changes to the proposed rule, which is highly unlikely for the upcoming round of rulemaking. However, DFARS 7012 will undergo its own rulemaking process later this year, so it’s possible we’ll see its language modified to align with the proposed CMMC rule. Either way, the implementation of revision 3 into the CMMC framework is likely years away.
- There aren’t any CMMC security requirements for specialized assets, such as operational technology (OT) and Internet of Things (IoT), which isn’t surprising since NIST 800-171 was not written for these types of assets. What is surprising is the lack of additional guidance for contractors on securing these types of assets. For now, they will only need to be documented in an asset inventory and system security plan (SSP).
- There is an increased focus on Managed Services Providers (MSPs). Managed Service Providers and Managed Security Service Providers, who qualify as external service providers (ESPs), may have to achieve a CMMC Certification level equivalent to their DIB clients if the language in the proposed rule remains. This raises many questions — for example, how will an MSP supporting DIB contractors without being a direct contractor themselves even qualify for a Certification Assessment? And what would happen if an MSP supporting tens or hundreds of DIB clients failed their assessment? Whether or not this requirement sticks, it’s clear the DoD is serious about ESP security.
The Road Ahead
Following the active 60-day public comment window, the CMMC proposed rule is expected to become finalized in late 2024 or early 2025. Upon finalization, a four-phased implementation process across a 2.5-year period will begin, during which all contractors will be required to comply with the requirements to continue bidding and/or participating on DoD contracts.
Here is a brief rundown of what to expect in each CMMC implementation phase:
- Phase 1 (Expected to start late 2024 or early 2025): The initial phase will require CMMC Level 1 and CMMC Level 2 Self-Assessments for all DoD solicitations and contracts.
- Phase 2 (Begins six months after Phase 1): The second phase will begin including CMMC Level 2 Certification Assessments as a condition of DoD contract award as well as officially open the window for Level 3 assessments. However, DoD may choose to push the requirement to an option period on applicable contracts.
- Phase 3 (Begins 1 year after Phase 2 implementation): The next phase will complete the roll-out of Level 2 across all DoD solicitations and contracts. However, Level 3 Certification Requirements may be pushed to an option period on applicable contracts.
- Phase 4 (Begins 1 year after Phase 3 implementation): In the final phase, the CMMC requirements will be included in all applicable contracts and the CMMC Program will be considered fully implemented.
While the proposed rule clarified many points of feedback on the previous version, there are still some lingering questions that we hope to see resolved in the coming months:
- How will the DoD enforce contract termination for contractors unable to meet applicable CMMC maturity level in the option period? If the DoD allows contractors without CMMC Level 2 certification to bid on contracts in Phase 2, there is a chance for program delays if they cannot complete their CMMC certification.
- How will the DoD prevent ESPs from becoming a single point of failure? External service providers, while critical to ensuring continuous monitoring between assessment periods, may only support DIB companies and are not direct DoD contractors. As the rule is currently written, these ESPs will need to obtain a CMMC certification, and do so prior to their clients — again, creating an opening for further program delays.
- Which version of NIST 800-171 controls will dictate CMMC? The new proposed rule specifies Revision 2, but DFARS 7012 (which is the overarching standard for DoD governance of CUI) is also set to go through rulemaking in 2024 and requires the “Current Version”, which will soon be Revision 3. It may be several years before the language for CMMC and DFARs are fully aligned.
- Will the DoD provide additional support for small businesses struggling to meet the requirements? There are tens of thousands of small businesses in the DIB, many of which lack the personnel, IT resources, and financial resources necessary for CMMC compliance. It remains to be seen whether DoD will aid these businesses.
Preparing for CMMC Compliance Now
Despite the back-and-forth in the rulemaking process, it’s important to remember that the CMMC program originated from the need for improved risk mitigation across the DIB, where previous self-attestation efforts failed. While defense programs and their contractors should certainly begin to prepare for the expected implications of a CMMC rollout, there are several activities that organizations can do now to effectively reduce cybersecurity risk and increase resilience in the long term:
- Understand your FCI/CUI dataflow and prepare for CMMC readiness. This service includes a documentation review, FCI/CUI scoping, a baseline assessment, Plan of Action and Milestones (POAM) identification and remediation planning, an on-site visit, and much more. Upon service completion, you will have a clear understanding of your current posture against the CMMC requirements, as well as how to close any remaining gaps.
- Gaining deeper visibility of your supply chain. New compliance standards like CMMC are now mandating greater accountability for the cybersecurity of your organization’s broader ecosystem of suppliers, partners, and other third parties. Tools that not only illuminate and map your external attack surface, but also contextualize the importance of a third party to your operations are a critical foundation in understanding your overall cyber risk posture.
- Creating scalable programs to manage ongoing risk. Every supplier relationship is different, so working with experts to tier your illuminated supply chain ecosystem and prioritize the relevant cyber risk practices needed to maintain or improve compliance ensures your internal budget and resources can be allocated effectively.
- Regularly validating technical controls with continuous monitoring tools. While compliance standards like CMMC typically assess a variety of technical and non-technical controls, it’s important to always have continuous visibility of the technical controls that can be validated through automated monitoring of your internal and external attack surface. For instance, BlueVoyant’s Managed Detection and Response (MDR), Supply Chain Defense (SCD), Digital Forensics and Incident Response (DFIR), incident response testing, and vulnerability scanning tools can map to NIST controls and ensure cyber threat detection beyond the standard periodic check or penetration test.
- Establish processes to collaborate with sub-tier suppliers on cyber remediation. If critical issues or emerging vulnerabilities are identified, your organization also needs a direct line of communication to impacted vendors and suppliers so everyone can rapidly work together on remediation.