As you might know, the CMMC is an acronym that stands for the “Cybersecurity Maturity Model Certification”.  Put in simpler terms, if you are a defense contractor, or even a subcontractor, you need to be certified at a particular Maturity Level before you will even be allowed to bid for a contract that is sponsored by the Department of Defense (DoD).

The primary reason for this is that the DoD is entrusting into your care confidential Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) datasets, which are needed to fulfill the terms of a contract, if you are awarded one.  It is important to note that the CMMC has been through many revisions since its inception, with the main one being a reduction to three Maturity Levels, versus the five that existed in the CMMC 1.0.

In December 23, 2023, the DOD published rule 32CFR in the federal register which lays the groundwork for the CMMC program, structure requirements and the assessment process.

On Thursday, Aug 15, 2024, DOD published rule 48 CFR in the federal register which lays out the contractual obligations which specifically includes CMMC requirements in contracts under DFARS 252.240-7012.

These two rules define the Process (32 CFR) and the contract requirements (48 CFR).  Let’s take a closer look at what this means for CMMC.

The Updates

Summary of 32 CFR and 48 CFR

1. 32CFR – How this will happen:

32 CFR lays the foundation for the CMMC program, detailing the structure, requirements, and assessment processes for different levels of cybersecurity maturity.  The rule also specifies the procedures for conducting assessments, including who performs them (self-assessments, third-party assessments, or government-led assessments) and their frequency.  As part of this, the rule outlines the specific security requirements for each CMMC level, focusing on safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

32 CFR tells us the process that we need to follow to be certified and there are three parts to this: Framework, Assessment and Security requirements.

2. 48 CFR – The Whom

48 CFR facilitates the inclusion of CMMC requirements into defense contracts by incorporating the DFARS 252.204-7021 clause, making CMMC compliance a contractual obligation.  As part of this process, the rule ensures that contractors must have the appropriate CMMC certification before being awarded new contracts or renewing existing ones.   To accomplish this contract, implementation will be in a phased rollout of CMMC compliance over three years, gradually integrating the requirements into the defense contracting process.  The DoD will be implementing a phased in approach for the CMMC 2.0.

Conclusion

The Cybersecurity Maturity Model Certification (CMMC) is nearing the final stages of approval and is expected to be enacted into law soon. The anticipation is that the final version of the 32CFR rule will be published in the Federal Register sometime between October 15 and November 15, with the law coming into effect within 90 days thereafter. Following this, contractor requirements are likely to be announced shortly, as has been the case historically once the 32CFR is established.

As the timeline progresses, it is crucial to establish the necessary processes and policies, and to embrace the CMMC Level 2 (NIST 800-171R2) standards as the foundational framework for conducting business in the future. The time to act is now, as we prepare for these impending changes.

At KAMIND IT, we are here to help you in any way that is needed so that you come into full CMMC 2.0 compliance.  Contact us today if you need our help.