Cybersecurity Evolution: DoD Completes Cybersecurity Maturity Model Certification (CMMC) Program

Published:

Overview

On October 11, 2024, the Department of Defense (DoD) took a significant step in enhancing cybersecurity protocols by releasing a final rule formalizing the requirements, assessment processes, and governance for its Cyber Maturity Model Certification Program (CMMC). This initiative is designed to ensure that DoD contractors and subcontractors securely manage two critical categories of sensitive government information: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

The CMMC framework mandates that contractors handling CUI undergo third-party assessments and obtain certifications that verify their compliance with the 110 cybersecurity controls outlined in the National Institute of Standards & Technology Special Publication 800-171A (NIST SP 800-171A), and, where applicable, NIST SP 800-172A. However, it is essential to note that the publication of the Final Program Rule does not trigger immediate implementation of CMMC contract requirements. Instead, the actual enforcement is contingent upon a separate rule, known as the CMMC Clause Rule, which is still in the proposed stage and is not expected to be finalized until 2025. Nevertheless, the release of the Final Program Rule allows CMMC Certified Third-Party Assessment Organizations (C3PAOs) to begin assessing contractor compliance, enabling contractors to proactively develop their compliance programs ahead of enforcement.

Notable Changes in the Final Program Rule

While the Final Program Rule largely aligns with the Proposed Program Rule released in December 2023, several notable revisions have been made:

Changes to Phased Implementation Schedule

The Final Program Rule has extended the timeline for the phased implementation of CMMC. Here’s an overview of the new schedule:

  • Phase 1: Begins on the effective date of the CMMC Clause Rule. During this phase, the DoD can include requirements for Level 1 or Level 2 self-assessments in all applicable solicitations and contracts.

  • Phase 2: Starts one year after the CMMC Clause Rule’s effective date, allowing for Level 2 C3PAO assessments in applicable solicitations and contracts.

  • Phase 3: Commences two years following the effective date, enabling Level 2 C3PAO assessment requirements to be included in options for active contracts.

  • Phase 4: Begins three years after the effective date, marking the full implementation of CMMC Program requirements in all applicable solicitations and contracts.

Clarified Requirements for Cloud Service Providers (CSPs) and External Service Providers (ESPs)

In response to public feedback, the DoD has clarified the obligations of CSPs and ESPs. Key points include:

  • CSPs handling CUI must obtain FedRAMP Moderate authorization or meet equivalent security standards.
  • ESPs not classified as CSPs and handling CUI are not required to obtain CMMC certification, but their services will be assessed as part of the contractor’s CMMC evaluation.
  • ESPs and CSPs handling Security Protection Data (SPD) but not CUI are exempt from FedRAMP requirements, although their services will still be evaluated during the contractor’s CMMC assessment.

DIBCAC Authority to Audit Assessment Results

The Final Program Rule enhances the Defense Industrial Base Cybersecurity Assessment Center’s (DIBCAC) authority to audit contractors, regardless of their CMMC status. If discrepancies arise between a contractor’s reported CMMC status and DIBCAC’s audit findings, the latter will take precedence, potentially leading to contractual penalties for noncompliance.

Plan of Action and Milestone (POA&M) Requirement Revisions

The Final Program Rule has updated the list of controls for CMMC Level 2 that cannot have a POA&M, now including the requirement for developing a System Security Plan (SSP).

Core Assessment Requirements

CMMC operates on a three-tiered model consisting of Levels 1, 2, and 3, with each level corresponding to different types of information handled by contractors:

  • CMMC Level 1: Applies to contractors managing FCI, requiring a self-assessment attested to annually.

  • CMMC Level 2: Targets contractors handling CUI, necessitating either an annual self-assessment or a C3PAO certification every three years.

  • CMMC Level 3: Reserved for contractors dealing with high-value CUI, requiring a DIBCAC certification every three years.

Plan of Action and Milestone Requirements

CMMC allows contractors to document their plans to meet unmet controls through POA&Ms. However, there are restrictions:

  • No POA&Ms are allowed for Level 1 assessments.
  • For Level 2, POA&Ms are generally not permitted for controls with a point value greater than 1, and specific conditions must be met.
  • Level 3 assessments allow POA&Ms under certain conditions, with a requirement for closure within 180 days.

Affirmations

Annual affirmations of CMMC compliance are mandatory for all in-scope contractors. The Affirming Official, a senior-level representative, must attest to the contractor’s compliance, highlighting the legal risks associated with noncompliance, especially in light of the Department of Justice’s Civil Cyber Fraud Initiative.

Key Takeaways

  1. Review DoD Contracts: Contractors should assess their active contracts to determine the likely CMMC Levels required for compliance.

  2. Develop a System Security Plan (SSP): A comprehensive SSP is essential for preparing for assessments, detailing how security controls are implemented.

  3. Define Internal Roles: Engage stakeholders across departments to ensure alignment on compliance strategies and identify personnel for the Affirming Official role.

  4. Conduct Readiness Assessments: Consider privileged assessments to identify gaps without exposing the company to legal risks.

  5. Refine Corporate Policies: Establish robust cybersecurity policies and incident response plans to meet CMMC requirements effectively.

  6. Engage with C3PAOs: Contractors should proactively engage C3PAOs to schedule assessments, as demand is expected to rise.

In conclusion, the Final Program Rule marks a pivotal moment in the DoD’s efforts to enhance cybersecurity across its supply chain. By understanding and preparing for the CMMC requirements, contractors can position themselves for success in a landscape increasingly focused on safeguarding sensitive information.

Related articles

Recent articles