The CMMC Proposed Rule is Out – Now What?
Posted by: Jason Spencer
What is CMMC?
NIST Special Publication 800-171 (110 requirements) was first published in 2016 with an implementation requirement date of December 31, 2017, under the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements were created to establish cybersecurity controls for Controlled Unclassified Information (CUI) as defined by the Department of Defense (DoD); this information does not reach the secret classification level but must be protected. After years of a desire for certification for compliance with the NIST 800-171 requirements and a lack of improvements in CUI cybersecurity protections, the https://www.cisa.gov/resources-tools/resources/cybersecurity-maturity-model-certification-20-programwas established on January 31, 2020. CMMC requirements will apply to any non-federal organization that processes, stores, or transmits Federal Contract Information (FCI) or CUI.
Why should I care about CMMC 2.0 Requirements?
CMMC 2.0 was published in November 2021 with an estimated 9 to 24 months to complete the rulemaking process, after which CMMC compliance will be included in DoD contracts as mandatory (a condition of contract award). CMMC has undergone multiple changes and adjustments through the years and is now getting closer to the finish line, as the proposed rule was released on December 26, 2023. The ability to attest to compliance with the cybersecurity standards outlined by CMMC 2.0 will affect your ability to bid on contracts and could affect current contracts.
What happens next after CMMC 2.0’s Release Date
There will be a 60-day comment period concluding on February 26, 2024. After the comment period ends, DoD will review the comments and, at some point after that, release the Final Rule, possibly within the next year. Once the Final Rule is out, the DoD is expecting to implement it in phases, introducing CMMC requirements into Requests for Proposals (RFPs) and/or solicitations over a three-year period. The DoD anticipates it will take two years for companies with existing contracts to become CMMC-certified. On or after October 1, 2026, all solicitations are expected to include CMMC requirements.
How will NIST 800-171 Revision 3 affect CMMC?
Are you compliant with NIST 800-171 Revision 2 (110 requirements)? If the answer is no, then Revision 3 is the least of your worries. Revision 2 compliance has been required since DFARS’ (252.204.7012) implementation deadline of December 31, 2017. If you already have data classified as FCI and/or CUI, you should already be compliant with Revision 2, even with Revision 3 coming out. Should you plan to bid on future contracts, at minimum, you should be able to attest compliance with Revision 2.
NIST 800-171 Revision 3 is in draft, and the comment period will run through at least the end of January 2024. There will then be a finalization of the document, an implementation period, and a period where the DoD will have to make a decision as to which revision will be required under the Final Rule. This process could take many months to a year or more.
If you are not compliant with Revision 2, then you should get there quickly, as you are already behind. All parts of Revision 2 will be included in Revision 3 in some form or fashion.
Where should my focus be?
If you process, store, or transmit FCI and/or CUI, your focus should be on DFARS clauses 252.204-7019, 252.204-7020, and 252.204-7021, as these clauses are within contracts and enforceable now without the finalization of the CMMC Rule. Additionally, the focus should be on working toward compliance within NIST 800-171 Rev 2. These requirements will be required as part of the Rule and will still be within NIST 800-171 Revision 3 when it is published.
What should I do to adhere to CMMC 2.0 changes?
First, read the proposed rule. It is 234 pages; the first 32 pages summarize the Rule, while the actual proposed rule itself begins on page 157. (The middle section contains significant and relevant commentary on questions previously asked regarding CMMC.) Secondly, reach out to GuidePoint Security to get expert support on CMMC compliance. An initial gap assessment, which can be provided by GuidePoint, is highly recommended by Certified 3rd-Party Assessor Organizations (C3PAOs) that will be conducting certification activities once the rule is finalized. As a CMMC Registered Provider Organization (RPO), GuidePoint Security is prepared and excited to support you on this journey.
Jason Spencer
Senior Security Consultant, Compliance,
GuidePoint Security
Jason Spencer is a Senior Security Consultant in GuidePoint Security's Compliance practice. He began his career in the security industry in 2010 and his professional experience includes security assessments, specializing in network, wireless, and vulnerability management. Jason has led and participated in compliance assessments throughout the world for industries such as banking, commercial, and federal agencies. Jason’s extensive experience in network security assessments includes perimeter, network, and wireless, database auditing, workstation review, social engineering, firewall auditing, assessments. He also has worked within Network Operations Center (NOC), and Security Operations Centers (SOC).
Jason earned a Bachelor of Arts degree in Geology with Teacher certification and holds several certifications to include the Certified Information Systems Security Professional (CISSP).