Proposed Rule published in Federal Register.
60-day comment period begins

The Department of Defense’s CMMC program has taken a huge leap forward with the publication of the CMMC Proposed Rule on December 26th in the Federal Register. This kicks off a 60-day comment period, with the expectation that CMMC will begin to appear in contracts by late 2024 or early 2025.
 

7 key takeaways from the Proposed Rule:

1. CMMC will be finalized. Publication of the proposed rule is a huge leap toward adoption of DFARS 252.204-7021 and enactment of the CMMC program. DFARS 7021 requires all defense contractors to achieve CMMC certification at the level specified in their contract by the time of award. Failure to get certified means contractors won’t be eligible for future contracts and may be in breach of existing contracts
2. The security controls required at CMMC Level 2 will mirror the 110 controls in NIST SP 800-171 R2, which have been required for several years. Defense contractors that handle Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2 to be eligible to continue working for the DoD or for any prime contractor in the defense supply chain above it. Moreover, they will have to comply with NIST 800-171 R2 – not Revision 3.
3. 95% of organizations seeking CMMC Level 2 certification will need to be assessed by accredited C3PAOs (CMMC Third Party Assessment Organizations) once every three years. The DoD estimates that 95% of organizations handling CUI will need a C3PAO certification. In the Federal Register, the DoD noted that over 76K companies will need CMMC level 2 certification assessments vs. only 4K that will be able to self-assess.

Estimated Number of Entities by Type and Level

source: Federal Register

4. POA&Ms will be permitted under limited circumstances. Organizations seeking CMMC certification do not need to achieve a perfect 110/110 on their NIST SP 800-171 assessment. They do however need to achieve a minimum of 80% or 88 out of 110.
    
   With few exceptions, only 1-point controls can be POAMed. And, even with that allowance, not all 1-point controls are POAMable. POA&Ms will not be permitted for the majority of higher-weighted 3-point and 5-point security controls. In addition, all security gaps will need to be addressed within 180 days of the initial assessment.
5. 110/110 Joint Surveillance Voluntary Assessments (JSVA) results will be directly transferable to CMMC Level 2 certification. JSVA and DIBCAC High Assessments will convert to CMMC Level 2 certificates, but only if you achieved a perfect JSVA score with no-open POAMs. Read here how 2 contractors achieved this perfect score using PreVeil.
6. If a defense contractor—and/or the Cloud Service Provider (CSP) they work with—uses encryption to protect CUI and support CMMC Level 2 certification, a FIPS validated cryptographic module must be used in both cases. Ask your CSP for their FIPS 140-2 certification. If they are unable to provide this documentation, you will not be able to use their software.
7. The CMMC Proposed Rule confirms that DFARS 252.204-7012 (c)-(g) will remain in place, which means commercial email systems like Microsoft’s O365 Commercial are not compliant. DFARS 252.204-7012 (c)-(g) stipulates cyber incident reporting requirements, so organizations that use Cloud Service Providers should ask for attestation that their CSP meets them.

Timing

The 60-day comment period for the CMMC proposed rule began on December 26th, upon publication in the Federal Register.
 

 
When the comment period ends on February 26, 2024, DoD will adjudicate and respond to all relevant comments. This process could take 6-12+ months, with the CMMC Final Rule expected to be published in late 2024 or early 2025.
 
Once CMMC is incorporated into DFARS, contractors may be required to achieve CMMC certification prior to contract award. CMMC will be fully phased in over a 3-year period.

How to submit your comments on the Proposed Rule

The comment period is your opportunity to directly influence the shape of the CMMC program. DoD is bound by law to consider and respond to your comment. Comments can be submitted at the Federal Register until February 26 2024.

What Do I Have to Do Now to Get Ready for CMMC?

CMMC will be finalized and you will be required to meet its requirements. It is important for contractors to understand that even though CMMC will be phased in over time, it does not necessarily follow that you will have more time to achieve CMMC certification. For example, your organization could be down the supply chain from another contractor subject to CMMC, in which case, per DFARS 252.204-7020, that contractor must flow down CMMC requirements to your organization.
 
As Matt Travis (CEO of the CyberAB) noted in a recent PreVeil webinar:

 
The average small company in the DIB will need 12-18 months to prepare for its CMMC assessment. That means that now is the time to improve your cybersecurity posture. Security requirements for CMMC Level 2 mirror NIST SP 800-171, and so your most efficient path to CMMC Level 2 certification is via NIST SP 800-171 compliance.

PreVeil’s CMMC solution

PreVeil is the leading solution for achieving CMMC Level 2 compliance. Trusted by over 1,000 small and midsize defense contractors, PreVeil’s solution has proven successful in getting customers a perfect 110/110 NIST score in tough DoD assessments. We decrease the cost and time to achieve compliance by over 60% with our simplified 3-step solution:

• Step 1: Adopt PreVeil’s email and file sharing platform to protect CUI.
• Step 2: Take advantage of PreVeil’s compliance documentation package.
• Step 3: Leverage PreVeil’s partner community of consultants and assessors.

PreVeil’s proven 3-step solution uses a security-first approach to compliance, saving you time, minimizing your risks, and reducing your costs.

To learn more: Book a free 15-minute consultation with our compliance team