CMMC Marketplace

Just learned that Rep. Gary Palmer (R.-AL) has introduced a resolution, H.J. Res. 221, under the Congressional Review Act, to invalidate the 32 CFR CMMC "Program Rule." "If a joint resolution of disapproval is submitted within the CRA-specified deadline, passed by Congress, and signed by the President, the CRA states that the disapproved rule “shall not take effect (or continue).” The rule would be deemed not to have had any effect at any time, and even provisions that had become effective would be retroactively negated." (From the CRS Report https://lnkd.in/gcZP3Qn7 (2021). "In order to be enacted, a bill or joint resolution has to pass the House and Senate with identical text in both chambers and be signed by the President, enacted over his veto, or become law without his signature." (Same CRS Report.) "The CRA has been used to overturn a total of 20 rules: one in the 107th Congress (2001-2002), 16 in the 115th Congress (2017-2018), and three in the 117th Congress (2021-2022)." CRS Brief Overview on CRA (2024) https://lnkd.in/g6B9tyAc). My initial reaction: I'm not surprised a disapproval resolution has been introduced. There is a large number of companies who express concern about their ability to satisfy the CMMC security demands. Getting the disapproval passed by both House and Senate happens relatively rarely. This rule relates back to the previous Trump Administration when the CMMC program was introduced. There are very strong national security reasons to proceed with the rule, IMO, and my read of the new Administration is that it is unlikely to accommodate insufficient cyber security on the part of DIB companies in the face of continuing cyber espionage and exfiltration threats, especially from the P.R.C. I appreciate that this Administration has much hesitation about excesses of federal rulemaking, and CMMC is a demanding rule. However, as the GAO has already indicated, the CMMC rule followed the required procedural steps. https://lnkd.in/gve_vtJ4 DoD wisely has a rollout program that proceeds over four years and begins only when the companion Part 48 CMMC "Contract Rule" is finalized, which won't occur before mid-2025. Finally, there is interest in Congress in tax legislation that would assist very small businesses by extending a tax credit to cover some of the "unique" costs of compliance with the CMMC rule, i.e., the cost of assessment and of closing POA&Ms (gaps) that surface during assessments. We could see activity on this tax credit early next year when the House Ways & Means Committee takes up various tax measures that are said to be important to the new Administration. Personal opinion. https://lnkd.in/gksp7sW8

BREAKING: The initial public draft of NIST SP 800-172, Rev. 3 is now live. https://lnkd.in/e6T-MJhv Protecting Controlled Unclassified Information associated with critical programs and high value assets is both a national security concern and an economic security concern. Security requirements matter. Bring your A-game. The adversaries are bringing theirs. #NIST800172Rev3 #ProtectCUI #SystemResilience #Risk #Confidentiality #Integrity #Availability #DIB #CMMC #APT #MissionAssurance #SecurityRequirements #AttackSurface #PenetrationResistance #DamageLimitation #CyberThreat

?? Businesses, get ready! CPCSC (The Canadian Program for Cyber Security Certification) is structured in 3 levels. Level 1 requires an annual cybersecurity self-assessment. Stay tuned for more updates! #CyberSecurityCanada #CPCSC #CanadianCyberCompliance #StaySecureCanada

The DoD CIO is excited to announce the?CMMC?32 CFR program rule was released for public inspection today and is expected to be published on Tuesday 15 Oct. This rule streamlines and simplifies the process for small- and medium-sized businesses by reducing the number of assessment levels from the five in the original program to three under the new program.?Companies may use cloud service offerings to meet the cybersecurity requirements that must be assessed as part of the?CMMC?requirement. The DoD CIO would like to thank all the businesses and industry associations that provided input during the public comment period.?Improving the cybersecurity of the defense industrial base (DIB) is essential to protecting the products of American ingenuity and the national security information that supports and enables our warfighters.?Your input improved the rule and will help improve security of critical information while making it easier for small- and medium-sized businesses to meet their contractual obligations. Read more at: https://lnkd.in/eAgd9SdK #Cybersecurity #DIB #DIBCS #DC3”

Note of interest with the CMMC Rule (32 CFR Part 170) about to go final. There are 56 Authorized C3PAOs and 278 CCAs listed in the marketplace. There are another 244 organizations in the pipeline to be an authorized C3PAO. Once the CMMC rule goes final, official CMMC Level 2 assessments can start after 60 days. I am very interested to see what is in the final rule around Security Protection Data. This will make or break organizations being able to proceed with an assessment or not. We will also need the CAP from the Cyber AB. During the last Cyber AB town hall, Matthew Travis said it is just waiting for the final rule before it is released. DIB, are you ready?

??Big news from the CMMC world - OMB has completed its review of the final CMMC programmatic rule along with all of the ancillary documents. Next step - release on the Federal Reguster as soon as next week.

https://lnkd.in/ea-uHiZx

An FYSA on NSA’s cybersecurity offerings for #DIB: We have been in consistent communication with DIBCAC about the need to map our services to NIST 800-171a. We asked DIBCAC for their template to do the 170A mapping in a way that would make it easy for them to both validate and (hopefully) endorse our offerings’ support to 171 controls as an authoritative figure, versus NSA doing the mapping and providing that to the DIB independent of DIBCAC. We received this spreadsheet as recently as two weeks ago and are inputting the data. Our goal is that when CMMC is live, so will a DIBCAC validated mapping of our services to requirements at the granular level of detail the community has requested. If anybody has any questions or feedback, they are welcome to reach out to me directly.

The National Defense Industrial Association is concerned over the Defense Department’s ability to have enough capacity for the demand in assessments once the Cybersecurity Maturity Model Certification program gets up and running following the conclusion of the rulemaking process. The Pentagon is in the process of finalizing two rulemakings that are needed to officially launch the CMMC program with the first making changes to Title 32 of the Code of Federal Regulations and a second amending Title 48 of the CFR which contains DOD’s acquisition rules. The Title 32 rule was published as a proposed rule in December, while the 48 CFR proposed rule is still under review at OMB’s Office of Information and Regulatory Affairs. “We’re still kind of up in the air on when we are going to see the final rule, what are going to be final implementation timelines. So we’re expecting the 32 CFR rule to come out and another rule to actually put in the DFARS, which raises the question of is there going to be bottlenecks,” NDIA’s Michael Seeds told Inside Cybersecurity.