• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
CMMC Program Final Rule Released

CMMC Program Final Rule Released 

October 11, 2024 Posted by Robbie Harriman IT Security

The Final Rule establishing the CMMC Program, Title 32 CFR Part 170, has been released for public inspection. 

What does this mean?  

Unlike the Proposed Final Rule, which was released in December 2023 for public comment, the document posted today is finalized, with an official Publish date of 10/15/2024. The public inspection simply provides a preview of a document already finalized and scheduled for official publication. The rule will become effective 60 days after the date of publication in the Federal Register. 

What’s in the Rule? 

There are not a lot of surprises here. The Program framework outlines requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) with enhanced validation and enforcement measures (i.e., moving from self-attestation to certification). In addition, it solidifies the message that the DoD has been sending to the Defense Industrial Base that in this new model, Plan of Action & Milestones (PoA&Ms) will have limited allowance.  

PoA&Ms are not permitted whatsoever at Level 1. At Level 2, they will be time-restricted to 180 days from assessment conclusion, which will be considered a “Conditional CMMC Status.” This means all 110 practices outlined in NIST SP 800-171 must be satisfied within that period for contract award. Any PoA&M closed within the 180-day period will need to be reevaluated for validation.  

80% of requirements must be met in order for PoA&Ms to be considered for Conditional CMMC Status, and each PoA&M item may not have a point value of greater than 1, with the exception of a few specified practices. 

The Rule also provides a flow-down matrix, dictating that prime contractors with a Level 2 external assessment requirement impose the same on their subcontractors. 

What’s next? 

While this rule establishes the CMMC Program and framework, there is a second proposed Rule, Title 48 CFR, which facilitates inclusion of the DFARS 252.204-7021 clause in defense contracts, making CMMC requirements enforceable contractual obligations.  

So – Title 32 (released) establishes CMMC, and Title 48 (proposed) enforces it. 

Uncoincidentally, the comment period for Title 48 ends in four days, the same day Title 32 is published. The DoD states in their press release that Title 48 will be published in early-to-mid 2025.  

What should I do now? 

These are the recommended areas of focus you can achieve with OCD Tech: 

  • Review and update your System Security Plan 
  • Evaluate in-scope Cloud Service Providers for compliance 
  • Evaluate External Service Providers for readiness 
  • Evaluate assessment scope guidance to assure all relevant assets have been considered 
  • Collect and review evidence of control implementation to validate compliance 

OCD Tech is continuing to review the Rule in its entirety and will provide additional information and resources as soon as available. In the meantime, never hesitate to reach out with questions. I’m always available for a call: https://calendly.com/rharriman/30min 

Resources 

OCD Tech CMMC Resource Page: https://ocd-tech.com/cmmc/ 

US Department of Defense Press Release: https://www.defense.gov/News/Releases/Release/Article/3932947/cybersecurity-maturity-model-certification-program-final-rule-published/ 

 32 CFR Part 170 public inspection: https://public-inspection.federalregister.gov/2024-22905.pdf?utm_campaign=pi+subscription+mailing+list&utm_medium=email&utm_source=federalregister.gov 

Location of the final document, once officially Published: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program 

Title 48 CFR proposed Rule: https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of 

Share
1
Avatar photo

About Robbie Harriman

Robbie is the Senior IT Audit Manager at OCD Tech.  Robbie joined the firm in May of 2016. Prior to working at O’Connor & Drew, P.C., Robbie worked in IT for other companies, including the heavily regulated casino industry.  He currently travels locally and internationally working on some of OCD’s largest financial services companies.  He has a diverse range of experience in the IT field, with a deep background in IT systems administration and control areas.

You also might be interested in

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Aug 23, 2018

Many organizations are rapidly moving to the cloud for hosting everything from their products and services to their corporate infrastructure.

soc reports

Which SOC 2® Trust Services Categories are right for my organization?

Jun 7, 2022

SOC 2® can apply to most service organizations, including companies[...]

INTERNATIONAL WOMEN'S DAY

International Women’s Day 

Mar 5, 2024

Women on the Rise in US Cybersecurity  As we approach[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next