By Payam Pourkhomami, President & CEO of OSIbeyond
As the implementation of the Cybersecurity Maturity Model Certification program draws closer, Department of Defense contractors and subcontractors should be considering not only how to prepare for a CMMC 2.0 assessment, but also how to maintain ongoing CMMC 2.0 compliance.
Central to understanding the CMMC program are the rules outlined in Title 32 and Title 48 of the Code of Federal Regulations, or CFR. These rules govern different aspects of the CMMC implementation and thus impact defense contractors’ journeys to compliance.
CFR 32: The Blueprint for CMMC Implementation
Title 32 of the CFR serves as the cornerstone for the CMMC program. Recently published for public comment and anticipated to be finalized in the fourth quarter of 2024, CFR 32 is set to become effective in the first quarter of 2025.
The finalization of CFR 32 will mark an important moment in the implementation of the CMMC program. Once enacted, it will enable the completion of the CMMC Assessment process in alignment with the rule’s requirements. This milestone will pave the way for CMMC Third Party Assessment Organizations, or C3PAOs, to begin conducting official assessments. Perhaps even more significantly, the establishment of the CFR 32 rule and the CMMC Assessment process will green-light prime contractors to initiate mandatory certification assessments for their entire supply chain.
To help you better understand how CFR 32 provides a comprehensive framework for the CMMC initiative, here’s a high-level overview detailing the most important aspects of the program:
Program Structure and Requirements
CFR 32 outlines CMMC as a three-tiered model, and it describes the specific security requirements for each level:
- Level one focuses on the basic safeguarding of federal contract information, a.k.a. FCI, using the 17 controls from FAR 52.204-21.
- Level two addresses the protection of controlled unclassified information, a.k.a. CUI, using the 110 security requirements from NIST SP 800-171 Rev 2.
- Level three provides enhanced protection against advanced persistent threats, a.k.a. APTs, by implementing additional security requirements from NIST SP 800-172.
The requirements are designed to progressively build upon each other to provide sufficient protection for the defense industrial base without burdening less critical contractors with unnecessary requirements.
Assessment and Affirmation Processes
The regulation details the assessment procedures for each CMMC level, including who conducts the assessments (self-assessments for level one and some level two contracts, third-party assessments with C3PAOs for level two certifications and government-led assessments for level three), their frequency (annual for level one, triennial for levels two and three) and the criteria for passing.
CFR 32 introduces the new requirement for annual affirmations of compliance by senior officials, to be submitted in the Supplier Performance Risk System, or SPRS. The purpose of the affirmations is to serve as a formal attestation of ongoing compliance and may have legal implications under the False Claims Act.
Scoping, Scoring and Compliance Management
CFR 32 provides detailed guidance on how contractors should scope their CMMC assessments and determine which systems and assets must be included based on their handling of FCI and CUI. It outlines the scoring methodologies used to evaluate compliance at each level, including a point-based system for levels two and three that assigns different weights to various security requirements based on their criticality.
The regulation details the use of POA&Ms for addressing compliance gaps, including which requirements are eligible for POA&Ms and the 180-day timeframe for resolution. It also specifies reporting requirements to create a standardized approach to compliance management across the defense industrial base.
CMMC Ecosystem and Implementation
The regulation defines the roles and responsibilities of various entities within the CMMC accreditation ecosystem. It describes the accreditation and certification processes for these entities, including requirements for background checks and adherence to ethical standards.
CFR 32 also outlines the phased implementation plan for CMMC and how the program will be rolled out over time to minimize disruption to the defense industrial base. Additionally, it addresses how CMMC requirements will be implemented through contracts and flowed down to subcontractors to prevent gaps in the cybersecurity supply chain.
Special Considerations and Prior Assessments
CFR 32 addresses special cases like the use of external service providers and cloud services within the CMMC framework. It outlines processes for dispute resolution regarding assessment results, including the escalation path from C3PAOs to the Accreditation Body.
The regulation describes limited circumstances under which waivers to CMMC requirements may be granted by DOD acquisition executives. It explains how contractors may use prior assessments, such as DCMA DIBCAC High Assessments, to streamline their CMMC certification process.
CFR 48: Implementing CMMC in Federal Acquisitions
While CFR 32 provides the comprehensive framework for the CMMC program, it does not address how CMMC requirements will be incorporated into federal contracts. This is where CFR 48 (Title 48 of the Code of Federal Regulations, widely known as the Federal Acquisition Regulations, or FAR for short) comes into play.
CFR 48 contains the regulations that will lead to the DFARS 252.204-7021 clause (also referred to as the Cybersecurity Maturity Model Certification Requirements clause) being included in contracts.
Once the DFARS 7021 clause is included, contractors will need to maintain a current CMMC certificate at the level specified in their contract for the entire duration of the contract, flow down CMMC requirements to their subcontractors, and verify that their subcontractors have attained the appropriate CMMC certification level before awarding them any subcontracts.
It’s important to point out that, as of now, the CFR 48 rule that will incorporate DFARS 7021 has not been publicly released. However, the CFR 48 rule is earlier in the rulemaking process than CFR 32. There are indications that the process is moving more quickly than it did with CFR 32, in an effort to finalize both rules simultaneously.
Conclusion
CFR 32 and CFR 48 serve complementary yet distinct roles in the implementation of the CMMC program. CFR 32 lays the foundation by providing a framework for the CMMC initiative, detailing the program’s structure, requirements, assessment processes, and more. On the other hand, CFR 48 facilitates the inclusion of the DFARS 252.204-7021 clause in defense contracts so that CMMC requirements become enforceable contractual obligations.
For more information, download the DoD Contractor’s Guide to CMMC 2.0 Compliance.
