skip to Main Content

CMMC 2024 Rule Changes & Requirements

This post provides a detailed overview of RegDOX’s podcast discussion on the Department of Defense’s Final Rule for the Cybersecurity Maturity Model Certification (CMMC), published as 32 CFR Part 170 on October 15, 2024. The episode explores key aspects of the rule and offers important takeaways for defense contractors and stakeholders across the Defense Industrial Base (DIB). This CMMC 2024 briefing highlights what contractors need to know to maintain compliance and prepare for upcoming audits:

  1. Purpose & Policy of the CMMC Program
  2. CMMC Levels and Assessments
  3. Scoping & Asset Categorization
  4. Standards and Incorporation by Reference
  5. CMMC Ecosystem
  6. Implementation & Challenges
  7. Key Takeaways

 

  1. Purpose & Policy

 The CMMC program aims to enhance cybersecurity across the Defense Industrial Base (DIB) by verifying contractor implementation of required security measures to safeguard sensitive information.

 Key Policy Points:

  • Protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is paramount.
  • Defense contractors and subcontractors are required to safeguard this information on their systems.
  • DoD program managers define the required CMMC level for each procurement.

Quote: “Protection of FCI and CUI on contractor information systems is of paramount importance to the DoD and can directly impact its ability to successfully conduct essential missions and functions.” (§ 170.5(a))

 

  1. CMMC Levels and Assessments

CMMC introduces a tiered model of cybersecurity maturity, with corresponding assessment requirements. The CMMC 2024 rule distinguishes between self-assessments and third-party certifications depending on the level of sensitivity of the data handled:

  • Level 1 (Self): Basic cyber hygiene practices; annual self-assessment. Focuses on the protection of FCI. Relies on 17 basic safeguarding requirements based on FAR 52.204-21.
  • Level 2 (Self/C3PAO): Intermediate cyber hygiene practices; self-assessment every 3 years or C3PAO assessment for certification. Introduces 110 NIST SP 800-171 R2 requirements and involves the protection of CUI.
  • Level 3 (DIBCAC): Advanced cybersecurity practices; assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Includes all 110 NIST SP 800-171 R2 requirements, a subset of NIST SP 800-172 requirements, and DoD-specified parameters.

Key Points:

  • Assessment types differ by level, ranging from self-assessments to third-party assessments.
  • Plans of action and milestones (POA&Ms) are permitted at Level 2, allowing for remediation of non-compliant areas.
  • DCMA DIBCAC conducts Level 3 certification assessments, which require prior achievement of Level 2 (C3PAO) CMMC status.

Quote: “The DoD elected to base the phase-in plan on the level and type of assessment to provide time to train the necessary number of assessors and to allow companies time to understand and implement CMMC requirements.” (Preamble)

 

  1. Scoping & Asset Categorization

 CMMC compliance depends heavily on how organizations scope and categorize their information systems. Under the CMMC 2024 guidelines, assets must be clearly defined based on the type of information they process and the applicable certification level.

  • Level 1 (Self): All assets processing, storing, or transmitting FCI.
  • Level 2/3: Assets are categorized as:
  • Contractor Risk Managed Assets (Level 2)
  • Security Protection Assets (Level 2 and 3)
  • Specialized Assets (Level 2 and 3)
  • Out-of-Scope Assets: Those physically or logically separated from in-scope systems or inherently incapable of processing, storing, or transmitting CUI.

Key Points:

  • OSAs must clearly define the scope based on information flow and asset categorization.
  • External Service Providers (ESPs) are assessed based on their handling of CUI and if they fall under a Cloud Service Provider (CSP) definition.

Quote: “In order to achieve a specified CMMC Status, OSAs must first identify which information systems, including systems or services provided by External Service Providers (ESPs), will process, store, or transmit FCI, for Level 1 (Self), and CUI for all other CMMC Statuses.” (§ 170.19)

 

  1. Standards and Incorporation by Reference

 The CMMC framework relies heavily on existing standards, notably:

  • NIST SP 800-171 R2: Foundation for Levels 2 and 3, outlining security requirements for protecting CUI.
  • NIST SP 800-172: Additional requirements for Level 3, enhancing security for CUI.
  • NIST SP 800-171A/172A: Provide assessment procedures for the respective NIST SPs.
  • FAR and DFARS Clauses: Govern contracting and cybersecurity requirements.

Key Points:

  • Specific revisions of the standards are referenced to ensure clarity and consistent application.
  • Future amendments will incorporate updated versions of NIST standards.

Quote: “The DoD cites NIST SP 800-171 R2 in this final rule for a variety of reasons, including the time needed for industry preparation to implement the requirements and the time needed to prepare the CMMC Ecosystem to perform assessments against subsequent revisions.” (Response to Public Comments)

 

  1. CMMC Ecosystem

 The CMMC program establishes a comprehensive ecosystem:

  • Accreditation Body (AB): Accredits and authorizes C3PAOs.
  • C3PAOs: Third-party assessment organizations authorized to conduct certified assessments.
  • Organizations Seeking Assessment/Certification (OSA/OSC): Entities pursuing CMMC certification.
  • DoD Agencies: DCMA DIBCAC, SPRS, and various program offices.

Key Points:

  • Each entity has defined roles and responsibilities within the ecosystem.
  • SPRS is the central repository for CMMC status reporting and score results.
  • DCMA DIBCAC plays a crucial role in Level 3 assessments and compliance validation.
  1. Implementation & Challenges

 The CMMC program faces implementation challenges:

  • Phased Rollout: Four phases are planned, starting with self-assessments and culminating in full implementation.
  • Training and Resource Constraints: Need to train adequate assessors and provide resources for OSCs.
  • Cost Burden: CMMC implementation and assessments involve significant costs for the industry and DoD.
  • Small Business Impact: Concerns about the disproportionate impact on small businesses.

Key Points:

  • DoD acknowledges the need to mitigate challenges and has outlined a phased approach.
  • Cost considerations are addressed, but affordability concerns remain.
  • Specific measures to support small businesses are being explored.

Quote: “DoD must enforce CMMC requirements uniformly across the Defense Industrial Base for all contractors and subcontractors who process, store, or transmit CUI.” (Response to Public Comments)

 

7. Key Takeaways

  • The CMMC 2024 Final Rule represents a significant shift in DIB’s cybersecurity requirements.
  • Understanding the CMMC levels, assessments, and scoping requirements is crucial for compliance.
  • Collaboration between industry and DoD is essential to address implementation challenges.
  • The CMMC program is evolving; staying informed about updates and guidance is vital.

These briefing notes and the podcast provide a high-level overview of the CMMC Program Rule. Organizations seeking to participate in DoD contracts should consult the full text of the rule and relevant guidance documents for detailed information and specific requirements.

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top