The CMMC 2.0 Final Rule’s Been Published: What Actions Do You Need to Take?

Notes to Our Readers:

This blog is co-authored by J. Carlos Vega, my long-time colleague and proven cybersecurity leader. You can find his biography here, and I encourage you to connect with J.C. on Linkedin.

In this blog, J.C. and I outline practical steps companies like yours need to take to prepare for CMMC 2.0.

As a reminder, the content in this blog is meant to be educational, and you’re encouraged to reach out to the U.S. Department of Defense (DoD), should you have specific questions about CMMC’s requirements and timelines.

CMMC’s History

The origins of CMMC date all the way back to November 2010, with Executive Order (E.O.) 13556- Controlled Unclassified Information. The intent of the order was to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls.” ?

The road to the DoD’s Cybersecurity Maturity Model Certification (CMMC) has been long and winding, to say the least. Initially proposed in January 2020 and updated in November 2021 with the release of CMMC 2.0, the DoD has continuously advanced this cybersecurity assessment program. In October 2024, the CMMC Final Rule?was officially published to the Federal Register, which effectively dropped the “2.0” from CMMC’s name. For that reason, we'll be using the term "CMMC" in the remainder of this article.

Ready, Set, Go!

With the final program rule release, the DoD is announcing that implementation of the CMMC standards is imminent. The DIB, DoD contractors, and subcontractors can no longer stand by and wait on the sidelines. Now is the time to get your company ready and set for the significant time and resources that are required to comply with the DoD's cybersecurity requirements associated with safeguarding CUI. Waiting is not a prudent option; rather, organizations in the DIB need to take immediate action to meet forthcoming contractual requirements, and can even gain a competitive advantage by complying with CMMC early. Further details about publication of the CMMC final rule can be found in the DoD’s press release that's available here.

Why CMMC?

According to the press release that's referred to above, “The purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.” The takeaway is that the DoD is implementing standards that align with cybersecurity best business practices, and like with any DoD and cybersecurity standards, achieving compliance will not be easy, unless you plan, prepare, and execute.

Be Aware of CMMC’s Timelines

Although CMMC has undergone many changes over the years, many in the DIB are unaware that the planned date for CMMC compliance has remained the same- it’s always been 2025. Following the publication of the CMMC final rule, the next step is for the DoD to change contracting requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021. The change to the DFARS is anticipated as early as March 2025. The final rule for DFARS 7021 will officially place CMMC clauses into DoD contracts.

Based on our experience, compliance will take significant time and effort. Although the final published rule “streamlines and simplifies the process for small- and medium-sized businesses,” CMMC compliance could easily take 12 to 18 months to achieve on your own, regardless of your company’s size. That’s dependent on your organization having the requisite skills, processes, and procedures in place. So, no matter how your company tackles this compliance requirement, it’s time to take the next step.

Confirm That CMMC Applies to Your Organization

The first step is to determine whether CMMC applies to your organization. CMMC requirements apply to your organization if you’re a DoD contractor (and/or subcontractor) who manages (processes, stores, or transmits) Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

Specific CMMC requirements have been updated to include the following:

CMMC Level 1:

Level 1 applies to DoD contractors and subcontractors who manage FCI only. When CMMC goes into full effect, Level 1 organizations will be required to perform annual self-assessments and have their results submitted into the Supplier Performance Risk System (SPRS).

CMMC Level 2:

Level 2 applies to DoD contractors and subcontractors who manage CUI. A small proportion of Level 2 organizations (approximately 5%) will be required to perform annual self-assessments and submit their results into SPRS, as outlined in the Level 1 description above.

The remaining 95% will be subject to formal triennial assessments by a Certified Third-Party Assessor Organization (C3PAO). Their results will be submitted into the Enterprise Mission Assurance Support Service (eMASS).

CMMC Level 3:

Level 3 mainly applies to the largest DoD contractors, who manage the DoD’s most sensitive contracts. In addition to being subject to CMMC Level 2 final assessments, Level 3 organizations are subject to 24 NIST SP 800-172 requirements that are assessed by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). Similar to Level 2, Level 3 companies’ results need to be submitted into eMASS.

In all cases, CMMC certification will ultimately be required as a condition of DoD’s awarded contracts.

Understand What’s Changed with the Final Rule

Although the transition from the CMMC 2.0 proposed rule to the final CMMC rule didn’t result in blockbuster changes, you need to be aware of the following updates:

• The CMMC final rule is officially based upon NIST SP 800-171 Rev. 2 standards.
• The number of required practices (controls) for Level 1 has been reduced from 17 to 15.
• As previously noted, the requirements for Level 3 have been formalized. Previously, Level 3 requirements were still being finalized.
• In certain cases, Level 2 and 3 organizations can achieve conditional CMMC certification, even if they have a Plan of Action and Milestones (POA&M) in place. Note that POA&Ms must be remediated within 180 days, in order for an organization to achieve final CMMC certification. Minimum Level 2 and 3 security scores are also required to qualify for the 180-day extension.
• CMMC level requirements will be added to DoD solicitations and contracts over time, in a four-stage process that will begin as early as March 2025.
• Prime contractors may require their supply chains to become compliant even before the official CMMC date. And, certain DoD contracts may include an early CMMC clause, provided there’s a bilateral contract modification after business negotiations have been completed, which is agreed to by the DoD and its contractor.

Limit the Number of Assets Subject to CMMC Assessment

In order to keep your assessment as lean as possible, you’ll want to exclude assets (people, technology or facilities) that you don’t want to be included in your CMMC scoping, by restricting unnecessary assets’ ability to store, process or transmit CUI or FCI. You will also want to restrict access to FCI/CUI to users who have a lawful government purpose to access the information. You should also take the necessary precautions to protect your infrastructure’s Security Protection Data (SPD), since the information in the SPD is of significant value in a potential cyber-attacker’s hands.

Choose a Qualified CMMC Partner to Fast-Track Your Journey

Partnering with experts is a crucial step that's often overlooked in CMMC compliance efforts. Many organizations attempt to manage the process on their own, missing out on the deep technical and industry expertise that skilled partners provide. Collaborating with a specialist allows you to stay focused on your core business, while partners handle full or partial responsibility for CMMC's infrastructure practices. That approach lets your team concentrate on other critical tasks while still addressing compliance requirements.

Working with an experienced partner can also help you to save time, enable your technical teams to augment their weaker skill-sets, and even expand your team’s compliance knowledge. In this?webinar replay, Bridget Wilson, SVP of Governance, Risk & Compliance at Network Coverage, and I discuss ten questions you should ask a CMMC compliance partner, in order to get the process started.

Scarcity Alert! Schedule & Budget for Your CMMC Assessment Now

According to published reports, third-party CMMC assessments could begin as early as December 2024. Based on the relatively small number of Cyber AB assessment organizations compared to the number of organizations that will require assessments, a significant assessment backlog is bound to develop over time. If you believe that your company is ready to begin the assessment process, we recommend that you do so immediately, to get your place in line.?

You will also need to budget for your C3PAO assessment, which is estimated to cost between $50,000 and $60,000 for Level 2 organizations, based on their requirements.

If that cost appears to be high, it’s because your CMMC assessment team will be required to have the following experts:

• A lead CMMC certified assessor
• A CMMC certified assessor
• A Quality Assurance contact, who cannot be a member of your assessment team.

The assessment costs outlined above are in addition to the cost of technical updates and infrastructure that may be required to comply with CMMC’s practices. So, it’s mission-critical to get budgetary requests on your executive team’s radar-screen straightaway.

Get Ready for Your Annual Affirmation

One of the key drivers for CMMC’s creation was the general disbelief that DoD contractors were taking the necessary cybersecurity precautions to protect FCI, CUI, and the larger DIB supply chain, even though contractors were required to complete self-assessments.

The CMMC final rule addresses that by requiring that an “affirming official”- with the appropriate authority- certify information that’s entered into SPRS and eMASS. You’ll need to identify the affirming official (if you haven’t done so already) and bring him/her up to speed on all of the specifics of your CMMC program. This step is extremely important, because improper affirmation could result in a violation of the False Claims Act. The Affirming Official also attests the organization is satisfying and will maintain its specified cybersecurity requirements, as outlined here in the Federal Register.

Keep Your Eyes on the Contracting Prize

After reading through all of those requirements and processes, many DIB companies might be tempted to throw their hands up in the air and consider forgoing DoD business.

However, when we consider that the U.S. DoD’s Total Obligation Authority (TOA) rose 5.7% from FY 2022 to FY 2023 to $813.7 billion, most organizations will make the obvious choice to continue to pursue reliable US DoD contracts, making CMMC a “must-have” for them. You can learn more about the impact of CMMC compliance on your company’s financial success by watching this?webinar replay.

Stay Tuned for Future CMMC-Style Regulation

As of this blog’s publication date, significant discussion is circulating about the potential application of CMMC-style guidelines to government agencies beyond the U.S. DoD. However, as currently proposed, CMMC only applies to DoD contractors and subcontractors. We’re likely to have more clarity on this topic after the U.S. presidential change of administration in January 2025.

Learn More

These recommendations are meant to get you on the fast-track to CMMC compliance. A valuable resource for this blog content- in addition to our own personal experience in working with CMMC- is the webinar titled, “The Wait is Over…The Final CMMC Rule Explained.” Please attend Egnyte's November 19th webinar if you have questions- a replay will be available after our live session.