By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
On December 26, 2023, the Department of Defense’s (DoD) much-anticipated Cybersecurity Maturity Model Certification (CMMC) 2.0 was published into the Federal Register as a Proposed Rule. The Proposed Rule largely aligns with industry expectations and what was previously published or discussed by the DoD. The Proposed Rule continues to emphasize the DoD’s view that the Defense Industrial Base (DIB) should have already implemented strong cybersecurity practices as required under DFARS 252.204-7012, and the CMMC 2.0 Rule provides new assessment and certification requirements.
The DIB has until February 26, 2024, to provide comments on the proposed rule, which the DoD will review and respond to before issuing the Final Rule. Based on past history and the significance of the Rule, it is believed that the Final Rule will be issued in early 2025.
Key Takeaways from the CMMC 2.0 Proposed Rule
- There are three CMMC Assessment Levels:
CMMC Level 1
Applicable for prime and subcontractors that have access to Federal Contract Information (FCI). These organizations will be allowed to self-assess compliance with the 15 practices detailed in FAR 52.204-21. The Proposed Rule aligns these requirements to 17 practices in NIST SP 800-171 Rev 2 and the CMMC Level 1 Assessment Guide.
CMMC Level 2
Applicable for prime and subcontractors that have access to Controlled Unclassified Information (CUI). The majority of these organizations will be required to have a CMMC Third Party Assessment Organization (C3PAO) perform an independent assessment of the organization’s compliance with the 110 practices in NIST SP 800-171 Rev 2.
CMMC Level 3
Applicable for prime and subcontractors that have access to Controlled Unclassified Information (CUI). These organizations will be required to have the DoD perform an assessment of the organization’s compliance with the 110 practices detailed in NIST SP 800-171 Rev 2, as well as an additional 24 practices in NIST SP 800–172.
- The DoD is requiring all prime and subcontractors to have a senior official who is responsible for ensuring compliance with CMMC Program requirements to annually affirm continued compliance with specified security requirements, which will be entered electronically in the DoD’s Supplier Performance Risk System (SPRS). This is similar to the Sarbanes-Oxley Act (SOX) that requires CEOs and CFOs to take ownership of the financial statements and supporting internal controls. Like SOX, we believe the affirming senior officials should ensure their affirmations are supported by a body of evidence, or potentially face prosecution under the False Claims Act.
- Prime and subcontractors that are required to comply with CMMC Level 2 or 3 are allowed to have Plan of Action & Milestones (POA&M) for certain lower risk practices. However, the contractor must remediate the POA&M and have a C3PAO assess the remediated practices within 180 days to be able to achieve CMMC certification.
- The prime contractor will be responsible for ensuring CMMC requirements are “flowed down” to subcontractors that will process, store, or transmit FCI or CUI. This could result in prime contractors accelerating subcontractors’ compliance with CMMC 2.0 so as not impact their award of DoD contracts.
- The CMMC 2.0 Rule states that a prime or subcontractor using an External Service Provider (ESP), such as a Managed Service Provider (MSP), that processes, stores, or transmits FCI or CUI must have a CMMC certification level equal to or greater than the certification level of the prime or subcontractor.
- Within the CMMC ecosystem, there has been a lot of discussion on what FedRAMP Moderate equivalency is for a Cloud Service Provider (CSP). The DoD issued a letter on January 3, 2024, that details the requirements for a CSP to meet FedRAMP Moderate equivalency. The letter indicates the CSP must achieve 100 percent compliance with FedRAMP Moderate security baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization (3PAO). The letter also details the body of evidence (BoE) that is required to be provided to the defense contractor. The BoE documentation includes the CSP’s System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR) performed by 3PAO, and any POA&Ms.
- The DoD believes there are 221,286 organizations that need to comply with CMMC 2.0.
The DoD’s breakdown of these organizations’ CMMC Assessment Level is as follows:
Assessment Level | Total DIB Companies |
---|---|
Level 1 Self-Assessment | 139,201 |
Level 2 Self-Assessment | 4,000 |
Level 2 Certification Assessment | 76,598 |
Level 3 Certification Assessment | 1,487 |
- The DoD has provided some guidance regarding the costs to obtain an assessment. These costs are for the assessment only. The DoD has indicated that the costs to get ready for the Rule should have already been incurred when DFARS 252.204-7012 went into effect in 2017.
Assessment Level | Costs |
---|---|
Level 1 Self-Assessment | $4,042 |
Level 2 Self-Assessment | $48,827 |
Level 2 Certification Assessment | $117,768 |
Level 3 Certification Assessment | $41,050* |
*DoD will conduct Level 3 Assessments.
One can interpret from these cost estimates that the DoD expects organizations to put significant effort even into their self-assessments.
CMMC 2.0 scoping and planning
Many DIB companies have elected to wait to perform CMMC readiness activities, not wanting to incur costs chasing compliance with a moving target. However, considering how few surprises were in the Proposed Rule, it also seems likely the Final Rule will not materially differ from the Proposed Rule. Considering it can take 12-18 months for an organization to prepare for a CMMC assessment, companies should immediately start the CMMC planning and scoping process. Planning and scoping includes establishing the leader(s) of the organization’s CMMC program, determining the organization’s CMMC Maturity Level, document the flow of FCI and CUI, and identifying the in-scope assets and services providers (e.g., MSPs or CSPs) that process, store, or transmit FCI or CUI. Planning and scoping provide early opportunities to restrict the flow of FCI and CUI, and thereby reduce the scope and ultimately the costs of compliance with CMMC.
After years of piecing together public statements, rumors, and sporadic publications and revisions, the CMMC is finally coming into focus. Keiter is an RPO and has a team of cyber security consultants that are ready to assist DoD contractors with CMMC scoping, gap assessment, and other readiness consulting services, powered by our custom CMMC project management and documentation tools.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors. Questions? Contact us: Email | 804.747.0000
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.