The CMMC Final Rule: What Organizations Handling Controlled Unclassified Information Need to Know

On October 15, 2024, the Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) Final Rule, a pivotal regulation that will reshape the cybersecurity landscape for organizations handling Controlled Unclassified Information (CUI). This new rule, codified in 32 CFR, will take effect on December 16, 2024, and it introduces significant changes that organizations must understand and prepare for to maintain compliance and secure future contracts with the DoD.

Key Points of the CMMC Final Rule

The CMMC Final Rule outlines several critical requirements for organizations seeking CMMC Level 2 compliance:

1. Third-Party Assessments: Organizations will be required to undergo third-party assessments to ensure they adequately protect CUI using the 110 controls outlined in NIST SP 800-171 Rev2.

2. Minimum Compliance Score: A minimum score of 88 is necessary for compliance, with limited flexibility for deferring certain controls through Plans of Action and Milestones (POAMs).

3. Compliance Obligations for Service Providers: The rule specifies compliance obligations for Cloud Service Providers (CSPs) and External Service Providers (ESPs), such as Managed Service Providers (MSPs), that organizations may use to meet CMMC standards.

4. Phased Rollout: The rollout of CMMC contract requirements will begin in Q2 2025, gradually increasing the number of contracts that mandate compliance.

5. Rigorous Documentation: Organizations must establish a robust program based on the NIST 800-171 framework, including thorough documentation such as System Security Plans (SSPs) to demonstrate compliance.

CMMC Timeline and Rollout

The CMMC Final Rule will become effective on December 15, 2024, allowing for the commencement of C3PAO assessments. The DoD plans to incorporate CMMC into contracts once the 48 CFR is finalized, expected in Q2 2025. Organizations must be prepared to demonstrate CMMC compliance starting mid-2025.

The rollout will occur in four phases, each lasting one year:

• Phase 1 (2025): The DoD will begin requiring CMMC Level 2 compliance in select contracts. Organizations may need to self-certify or obtain C3PAO certification.

• Phases 2-4: The number of contracts requiring Level 2 compliance will increase, with all applicable contracts mandating CMMC certification by Phase 4.

Key Requirements for Organizations Seeking CMMC Level 2 Compliance

Organizations must adhere to several key requirements to achieve CMMC Level 2 compliance:

1. Meet NIST 800-171 Requirements: Organizations must implement all 110 NIST 800-171 controls to safeguard CUI, focusing on areas such as access control, incident response, and physical security.

2. Achieve a Minimum Score of 88: While organizations may defer some non-critical controls, the use of POAMs is limited, and those must be completed within 180 days. Most controls must be fully implemented before certification can be achieved.

3. Cloud Service Providers (CSPs): If an organization uses a CSP to handle CUI, the CSP must meet FedRAMP Moderate Baseline Equivalent requirements or possess an official Authorization to Operate (ATO).

4. External Service Providers (ESP): Services provided by ESPs that function as Security Protection Assets will fall within the organization’s compliance boundary and be subject to assessment.

5. Flow-Down Requirements for Subcontractors: All subcontractors handling CUI must adhere to the same cybersecurity standards as prime contractors, ensuring protection throughout the supply chain.

6. Virtual Desktop Infrastructure (VDI) Clarifications: The final rule clarifies that host computers accessing CUI from a CMMC-compliant VDI environment may be considered out of scope for assessments, but the VDI configuration itself must comply fully with CMMC.

Achieving Compliance

Organizations seeking CMMC Level 2 compliance must focus on two key initiatives:

1. Implementation of IT Systems and Policies: Organizations must secure IT systems to protect CUI, following the NIST SP 800-171 framework, which includes establishing cybersecurity practices and ensuring continuous monitoring.

2. Robust Documentation: Accurate documentation is essential, with the System Security Plan (SSP) serving as the core document demonstrating compliance. Regular updates to the SSP will be necessary to maintain contract eligibility.

Regulatory Implications for Organizations Seeking CMMC Compliance

The era of deferring compliance is over. Organizations must strategically prepare for CMMC requirements to maintain eligibility for future contracts. Key considerations include:

• Prepare for CMMC Now: Organizations should not delay preparation, as the regulation clarifies that the DoD may modify existing contracts to require CMMC compliance.

• C3PAO Assessments Start December 15, 2024: For those ready, third-party assessments can enhance competitiveness in contract bids. A rigorous self-assessment is the first step, followed by third-party certification once organizations are confident in meeting the 88-point threshold.

Conclusion

The CMMC Final Rule represents a significant shift in cybersecurity expectations for defense contractors. By preparing now, organizations can position themselves for success in future contract opportunities. Developing a comprehensive cybersecurity program and maintaining accurate, up-to-date documentation are critical steps for compliance.

Next Steps

If your organization wishes to remain a part of the Defense Industrial Base, achieving CMMC compliance is essential. PreVeil can assist you in this journey.

PreVeil is trusted by over 1,200 defense contractors and offers a comprehensive solution to expedite CMMC compliance, including:

• Technology Platform: Our Email and Drive platform protects CUI with end-to-end encryption and meets FedRAMP Moderate Equivalent, FIPS 140-2, and DFARS 7012 c-g.

• Compliance Accelerator: We provide pre-filled CMMC documentation, assessor-validated videos, and one-on-one support from our compliance experts.

• Partner Network: We support your organization through the entire compliance journey, from preparation to assessment, with our network of CMMC consultants and auditors.

To learn how PreVeil can help, reach out to our sales team or schedule a free 15-minute compliance consult.

The CMMC Final Rule is a crucial development for organizations handling CUI. By taking proactive steps now, you can ensure your organization is ready to meet the new compliance requirements and secure future opportunities within the defense sector.