December 16, 2024

Well, the day(s) some people said would never come are here: 32 CFR Part 170, the Cybersecurity Maturity Model Certification (CMMC) Program, hit the Federal Register as a Final Rule on October 15 and is effective TODAY (December 16, 2024). It’s really happening. If you store, process, transmit, or generate Federal Contract Information (FCI) and/or Confidential Unclassified Information (CUI), the day is coming soon (as early as 2025, maybe a little later) when you will have to prove that you have the required security program and controls in place to protect that FCI and CUI. But, since you have had these controls in place since 2018 as required by the DFARS regulation, this should be a piece of cake, right…?

Now that the Program is formally established, all of the roughly 63 existing Certified 3^rd-Party Assessor Organizations (C3PAOs), plus all the CMMC Certified Assessors (CCAs), have to be re-certified under the Final Rule. If you are an Organization Seeking Certification (OSC) needing a Level 2 assessment by a C3PAO, expect this to impact how quickly you can get your formal assessment on a C3PAO’s schedule. This is in addition to what we’ve been told is already a significant backlog due to the relatively small number of C3PAOs and CCAs relative to the large number of OSCs. Also, the Final Rule extended Phase 1 of the program rollout from six months to twelve months. 

Here is the program rollout timeline as defined in 32 CFR Part 170.3.  “Self,” “C3PAO,” and “DIBCAC” refer to the entity that will perform the associated assessment for the indicated CMMC Level.

• December 16, 2024 – 32 CFR Part 170 (CMMC Program Rule) becomes effective, establishing the CMMC Program.
  • Organizations seeking certification (OSCs) can voluntarily start getting assessed and certified (once the C3PAOs and CCAs are re-certified).
• 1H 2025  (“Effective Date”) – 48 CFR Part 204 (CMMC Acquisition Rule) becomes effective.
  • Phase 1 of the CMMC Program starts.
  • CMMC Level 1 or Level 2 (Self) included in new contracts as a condition of contract award.
  • DoD can and may add Level 1 or Level 2 (Self) as a condition to exercise an option period on contracts awarded prior to the Effective Date.
  • DoD can and may add Level 2 (C3PAO) in place of Level 2 (Self) for any of the above.
• Effective Date + 1 year – Phase 2 of the CMMC Program starts.
  • CMMC Level 1 or Level 2 (Self or C3PAO) included in new contracts.
  • DoD can and may add Level 3 (DIBCAC) for any of the above.
• Effective Date + 2 years – Phase 3 of the CMMC Program starts.
  • CMMC Level 1 or 2 (Self or C3PAO) included in new contracts AND as a condition to exercise option periods on older contracts.
  • CMMC Level 3 (DIBCAC) included in new contracts.
  • DoD can and may add CMMC Level 3 (DIBCAC) as a condition to exercise option periods on older contracts.
• Effective Date + 3 years – Phase 4 of the CMMC Program starts.
  • Program is fully implemented.  CMMC Program requirements included in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
    

Do you have FCI or CUI? Only your DoD Contracting Officer and Program Office (if you are a prime contractor) knows for sure and can make that determination. Are you exposed to FCI or CUI by a prime? If you’re not sure, get that definitive answer before you do anything else. If you are subject to CMMC, here is what you need to do right now:

1. Establish/re-establish relationships with your ecosystem partners who can help you, including:
   1. DoD Contracting Officers and Program Office personnel (if you are a prime).
   1. Your prime contractor’s personnel who are knowledgeable and have those DoD relationships, including their legal department (if you are a subcontractor to a prime).
   1. A Registered Provider Organization (RPO) or a C3PAO who will not be performing your formal assessment. All C3PAOs, CCAs, and RPOs are listed on the Cyber AB Marketplace.
2. Evaluate and confirm your in-scope environment in light of the published Scoping Guidance to ensure the SSP covers all in-scope system components, locations, personnel, and service providers.
3. Review all responsibility matrices for all service providers and ensure they are clear and detailed.
4. Review every applicable Assessment Objective in the corresponding CMMC Assessment Guide to ensure they are all covered and fully documented in your SSP, and that all referenced supporting documentation exists and is up to date. The Assessment Objectives are used to conduct CMMC assessments and were taken from NIST SP 800-171A.
5. Assess your in-scope environment to ensure that all controls described in the SSP are fully in place – and can be proven that they are in place.
6. Establish or update accounts as applicable in the Supplier Performance Risk System (SPRS) and/or Enterprise Mission Assurance Support Service (eMASS) systems to ensure your organization’s contact information is correct.
   

As an RPO, GuidePoint Security can provide expert guidance with your CMMC compliance efforts. GuidePoint offers CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants with operations backgrounds who understand how to apply the CMMC controls to your environment, as well as advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps. A gap assessment can be viewed as a “practice run” for formal CMMC certification by a C3PAO.