The CMMC 2.0 Rule - Now Published
Date: 2024-10-21
Subject: Review of the main themes and important facts in the "2024-22905 DFARS CMMC Rule.pdf"
Purpose: This document provides a detailed analysis of the key themes and information presented in the provided excerpt of the Department of Defense (DoD) "2024-22905 DFARS CMMC Rule.pdf", outlining the Cybersecurity Maturity Model Certification (CMMC) 2.0 program.
Summary:
The CMMC 2.0 program represents a significant overhaul of the DoD's approach to safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) residing on contractor systems. The program aims to enhance cybersecurity posture within the Defense Industrial Base (DIB) by implementing a tiered assessment framework based on NIST SP 800-171 and 800-172. Key shifts from the previous CMMC model include:
Simplified Model: Reducing the model to three levels: Level 1 (Foundational), Level 2 (Advanced) and Level 3 (Expert).
Focus on Prioritization: Level 2 aligns with NIST SP 800-171, while Level 3 focuses on a subset of enhanced security requirements from NIST SP 800-172.
Emphasis on Self-Assessment: Reinstating self-assessment for Level 1 and Level 2, allowing for more flexibility for organizations.
Third-Party Assessment for Critical Programs: Mandating independent third-party assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs) for Level 2 when handling CUI for critical programs and for Level 3.
Enhanced Oversight and Enforcement: The Defense Contract Management Agency (DCMA) retains oversight, conducts assessments, and investigates potential non-compliance.
Phased Implementation: Gradual rollout of CMMC 2.0 requirements in solicitations and contracts over a five-year period.
Key Themes:
Strengthening Cybersecurity Posture: The rule emphasizes bolstering the cybersecurity practices of DIB companies to mitigate evolving threats. This is evident in the requirement for compliance with NIST SP 800-171 and, for certain contracts, the more rigorous NIST SP 800-172 standards.
“The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and can adequately protect FCI and CUI.”
Verification and Assessment: The rule introduces a structured assessment process to validate contractors' security implementations. This involves both self-assessments for Levels 1 and 2 and mandatory third-party assessments by C3PAOs or the DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 2 handling critical programs and Level 3.
"Solicitations for DoD contracts that will involve the processing, storing, or transmitting of FCI or CUI on any nonfederal system, regardless of the size or configuration of the nonfederal system, will specify the required CMMC Level (1, 2 or 3) and assessment type (self-assessment or independent third-party assessment)."
Flexibility and Scalability: The rule recognizes the diverse nature of the DIB and offers flexibility through the tiered assessment framework. This allows organizations to achieve a CMMC level commensurate with the sensitivity of the information they handle, streamlining compliance for smaller entities.
“The CMMC Program applies only to DoD contracts that include the DFARS clause 252.204-7021 and under which FCI or CUI is processed, stored, or transmitted on contractor information systems.”
Accountability and Enforcement: The rule establishes mechanisms for holding contractors accountable for maintaining compliance. The DCMA retains oversight and may conduct investigations or assessments to ensure adherence to the outlined requirements.
"The DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as permitted under DFARS clause 252.204-7012 and DFARS clause 252.204-7020."
Phased Rollout: Recognizing the potential burden on contractors, the rule outlines a five-year phase-in period for incorporating CMMC requirements into solicitations. This phased approach allows for a gradual transition, affording organizations sufficient time to achieve and demonstrate compliance.
"CMMC Status requirements for Levels 1, 2, and 3 will be included in solicitations and resulting contracts issued after the phase-in period when warranted by any FCI and/or CUI information protection requirements for the contract effort."
Important Facts:
Three CMMC Levels:Level 1 (Foundational) - Safeguarding FCI (17 controls)
Level 2 (Advanced) - Safeguarding CUI (110 controls from NIST SP 800-171 R2)
Level 3 (Expert) - Protecting against Advanced Persistent Threats (APT) (130 controls, a subset from NIST SP 800-172).
Self-assessments Allowed: Organizations can self-assess for Level 1 and Level 2. Level 2 handling CUI for critical programs requires third-party assessment.
Mandatory Third-Party Assessments: Level 3 requires assessment by a C3PAO or DIBCAC.
CMMC Status Validity: CMMC assessments are valid for three years.
POA&Ms: Plans of Action & Milestones are permitted for Level 2 and Level 3 but are subject to specific guidelines and timeframes.
Exemptions: Contracts exclusively for Commercial Off-The-Shelf (COTS) products are exempt from CMMC requirements.
Scoring Methodology: A detailed scoring system is in place for Level 2 and Level 3 assessments, with points deducted for non-compliance based on the severity of the deficiency.
Next Steps:
DIB organizations should:
Familiarize themselves with the rule's requirements and the CMMC assessment process.
Determine the CMMC level applicable to their organization based on the type of information handled and contracts pursued.
Begin implementing the necessary security controls outlined in NIST SP 800-171 and, if applicable, NIST SP 800-172.
Engage with C3PAOs or DIBCAC, as needed, to prepare for upcoming assessments.
This briefing document provides a high-level overview of the CMMC 2.0 rule. For further details, please refer to the complete "2024-22905 DFARS CMMC Rule.pdf" and relevant NIST publications.