Proposed Rule published in Federal Register.
60-day comment period begins

The Department of Defense’s CMMC program has taken a huge leap forward with the publication of the CMMC Proposed Rule on December 26th in the Federal Register. This kicks off a 60-day comment period and we expect CMMC to be in contracts by Q3-Q4 2024.

7 key takeaways from the Proposed Rule:

1. CMMC will be finalized. Publication of the proposed rule is a huge leap toward adoption of DFARS 252.204-7021 and enactment of the CMMC program. DFARS 7021 requires all defense contractors to achieve CMMC certification at the level specified in their contract by the time of award. Failure to get certified means contractors won’t be eligible for future contracts and may be in breach of existing contracts
2. The security controls required at CMMC Level 2 will mirror the 110 controls in NIST SP 800-171 R2, which have been required for several years. Defense contractors that handle Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2 to be eligible to continue working for the DoD or for any prime contractor in the defense supply chain above it. Moreover, they will have to comply with NIST 800-171 R2 – not Revision 3.
3. 95% of organizations seeking CMMC Level 2 certification will need to be assessed by accredited C3PAOs (CMMC Third Party Assessment Organizations) once every three years. The DoD estimates that 95% of organizations handling CUI will need a C3PAO certification. In the Federal Register, the DoD noted that over 76K companies will need CMMC level 2 certification assessments vs. only 4K that will be able to self-assess.

Estimated Number of Entities by Type and Level

source: Federal Register

4. POA&Ms will be permitted under limited circumstances. Organizations seeking CMMC certification do not need to achieve a perfect 110/110 on their NIST SP 800-171 assessment. They do however need to achieve a minimum of 80% or 88 out of 110.
    
   Only 1 pt controls can be POAMed but not all 1 pt controls are POAMable. POA&Ms will not be permitted for the highest-weighted security controls (those worth 5 points according to the DoD’s Assessment Methodology). All security gaps will need to be addressed within 180 days of the initial assessment.
5. 110/110 Joint Surveillance Voluntary Assessments (JSVA) results will be directly transferable to CMMC Level 2 certification. JSVA and DIBCAC High Assessments will convert to CMMC Level 2 certificates, but only if you achieved a perfect JSVA score with no-open POAMs. Read here how 2 contractors achieved this perfect score using PreVeil.
6. If a defense contractor—and/or the Cloud Service Provider (CSP) they work with—uses encryption to protect CUI and support CMMC Level 2 certification, a FIPS validated cryptographic module must be used in both cases. Ask your CSP for their FIPS 140-2 certification. If they are unable to provide this documentation, you will not be able to use their software.
7. Common commercial email systems like O365 are not compliant with DFARS 252.204-7012 (c)-(g). These regulations stipulate requirements for cyber incident reporting. Organizations that use CSPs should ask for attestation that their CSP meets them.

Timing

The 60-day comment period for the CMMC proposed rule began on December 26th, upon publication in the Federal Register.

When the comment period ends on February 26, 2024, DoD will adjudicate and respond to all relevant comment. This process could take 12-18 months, with the Final Rule expected to be published in late 2024 or early 2025.
 
Once CMMC is incorporated into DFARS, contractors may be required to achieve CMMC certification prior to contract award. CMMC will be fully phased in over a 3 year period

How to submit your comments on the Proposed Rule

The comment period is your opportunity to directly influence the shape of the CMMC program. DoD is bound by law to consider and respond to your comment. Comments can be submitted at the Federal eRulemaking Portal until February 26 2024.

What Do I Have to Do Now to Get Ready for CMMC?

CMMC will be finalized and you will be required to meet its requirements. It is important for contractors to understand that even though CMMC will be phased in over time, it does not necessarily follow that you will have more time to achieve CMMC certification. For example, your organization could be down the supply chain from another contractor subject to CMMC, in which case, per DFARS 252.204-7020, that contractor must flow down CMMC requirements to your organization.
 
As Matt Travis (CEO of the CyberAB) noted in a recent PreVeil webinar:

“If you’re one of those companies…hoping that the protracted rule-making will save you, you’re misguided and that’s a pretty reckless way to run your business”

 
The average small company in the DIB will need 12-18 months to prepare for its CMMC assessment. That means that now is the time to improve your cybersecurity posture. Security requirements for CMMC Level 2 mirror NIST SP 800-171, and so your most efficient path to CMMC Level 2 certification is via NIST SP 800-171 compliance.

PreVeil’s CMMC solution

PreVeil is the leading solution for achieving CMMC Level 2 compliance. Trusted by over 1,000 small and midsize defense contractors, PreVeil’s solution has proven successful in getting customers a perfect 110/110 NIST score in tough DoD assessments. We decrease the cost and time to achieve compliance by over 60% with our simplified 3-step solution:

• Step 1: Adopt PreVeil’s email and file sharing platform to protect CUI.
• Step 2: Take advantage of PreVeil’s compliance documentation package.
• Step 3: Leverage PreVeil’s partner community of consultants and assessors.

PreVeil’s proven 3-step solution uses a security-first approach to compliance, saving you time, minimizing your risks, and reducing your costs.

To learn more: Book a free 15-minute consultation with our compliance team

The post 7 Key Takeaways from the CMMC Proposed Rule appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP. Read the original post at: https://www.preveil.com/blog/7-key-takeaways-from-the-cmmc-proposed-rule/