CMMC
CMMC took a major step forward with the publishing of the Title 32 Rule. While the CMMC program has not been fully implemented, current and prospective members of the DIB need to align their cybersecurity efforts with the upcoming requirements.
On October 15, 2024, the Cybersecurity Maturity Model Certification (CMMC) Program Final Rule was published in the Federal Register – see: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
This rule published under Title 32 of the CFR will work in conjunction with the Title 48 rule which was published earlier this year.
The Title 32 Rule addresses and authorizes the CMMC program. According to the Federal Register, “This rule is effective December 16, 2024.” The Title 48 Rule addresses how CMMC will be implemented in Defense contracts in four Phases.
When the Title 48 Rule was published earlier this year on August 15, 2024, it was published as a proposed rule. The comment period closed on October 15, 2024 and comments are being reviewed. According to a DoD press release published on October 11, 2024, “The DoD's follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025. Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.” (emphasis added)
Implementation of the requirements is not a trivial matter. Implementation takes time, effort and may involve costs. Some companies may have the required experience and expertise “in-house” others may need to identify appropriate talent that can most effectively assist with implementing a tailored program. Implementing CMMC requires a specific set of knowledge and skills. Companies should establish a company's credentials. One source of company information is the Cyber AB Marketplace – see: https://cyberab.org/Catalog
In implementing CMMC, companies should evaluate the types of information that they may handle. If they will only handle Federal Contract Information (FCI) then they will need to implement only those elements that apply to CMMC Level 1. See: FAR 52.204-21: 15 elements. However, if a company will likely handle Controlled Unclassified Information (CUI), it will need to determine if it will pursue the self-assessment path or external assessment path. This choice will make a difference. This choice will may also limit a company’s future opportunities.
Additionally, CMMC has flow-down requirements. Companies that use suppliers and/or subcontractors will need to ensure that each member of their supply chain is compliant with program requirements at least equal to their certification level or recruit new supply chain members.
Each company will need to evaluate its information system to determine how to best implement this critical program. Trying to take a cookie-cutter approach may work for some NIST elements but this approach cannot factor in important variables.
To assist companies with identifying resources, “the DoD CIO DIB Cybersecurity Program has compiled a list of current resources available at dibnet.dod.mil under DoD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support.”
As always, companies that have questions about federal contracts, contracting and/or cybersecurity issues should reach out to the Wisconsin Procurement Institute.
|