The Final Rule establishing the CMMC Program, Title 32 CFR Part 170, has been released for public inspection.
What does this mean?
Unlike the Proposed Final Rule, which was released in December 2023 for public comment, the document posted today is finalized, with an official Publish date of 10/15/2024. The public inspection simply provides a preview of a document already finalized and scheduled for official publication. The rule will become effective 60 days after the date of publication in the Federal Register.
What’s in the Rule?
There are not a lot of surprises here. The Program framework outlines requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) with enhanced validation and enforcement measures (i.e., moving from self-attestation to certification). In addition, it solidifies the message that the DoD has been sending to the Defense Industrial Base that in this new model, Plan of Action & Milestones (PoA&Ms) will have limited allowance.
PoA&Ms are not permitted whatsoever at Level 1. At Level 2, they will be time-restricted to 180 days from assessment conclusion, which will be considered a “Conditional CMMC Status.” This means all 110 practices outlined in NIST SP 800-171 must be satisfied within that period for contract award. Any PoA&M closed within the 180-day period will need to be reevaluated for validation.
80% of requirements must be met in order for PoA&Ms to be considered for Conditional CMMC Status, and each PoA&M item may not have a point value of greater than 1, with the exception of a few specified practices.
The Rule also provides a flow-down matrix, dictating that prime contractors with a Level 2 external assessment requirement impose the same on their subcontractors.
What’s next?
While this rule establishes the CMMC Program and framework, there is a second proposed Rule, Title 48 CFR, which facilitates inclusion of the DFARS 252.204-7021 clause in defense contracts, making CMMC requirements enforceable contractual obligations.
So – Title 32 (released) establishes CMMC, and Title 48 (proposed) enforces it.
Uncoincidentally, the comment period for Title 48 ends in four days, the same day Title 32 is published. The DoD states in their press release that Title 48 will be published in early-to-mid 2025.
What should I do now?
These are the recommended areas of focus you can achieve with OCD Tech:
- Review and update your System Security Plan
- Evaluate in-scope Cloud Service Providers for compliance
- Evaluate External Service Providers for readiness
- Evaluate assessment scope guidance to assure all relevant assets have been considered
- Collect and review evidence of control implementation to validate compliance
OCD Tech is continuing to review the Rule in its entirety and will provide additional information and resources as soon as available. In the meantime, never hesitate to reach out with questions. I’m always available for a call: https://calendly.com/rharriman/30min
Resources
OCD Tech CMMC Resource Page: https://ocd-tech.com/cmmc/
US Department of Defense Press Release: https://www.defense.gov/News/Releases/Release/Article/3932947/cybersecurity-maturity-model-certification-program-final-rule-published/
32 CFR Part 170 public inspection: https://public-inspection.federalregister.gov/2024-22905.pdf?utm_campaign=pi+subscription+mailing+list&utm_medium=email&utm_source=federalregister.gov
Location of the final document, once officially Published: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program
Title 48 CFR proposed Rule: https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
