CMMC Programmatic Final Rule Status: What It Means for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) Programmatic Rule will become effective 60 days after October 15, 2024, the date the final rule was published to the Federal Register. Contractors should begin taking steps to ensure compliance, as failure to comply with these standards can result in exclusion from Department of Defense (DoD) contracts, posing significant risks to business operations and financial stability.

The CMMC framework was established by the DoD in an effort to enhance the cybersecurity posture of the Defense Industrial Base (DIB). It establishes prescribed cybersecurity standards that all contractors handling federal contract information (FCI) and controlled unclassified information (CUI) must meet to qualify for DoD contracts.

Current Status of the CMMC Programmatic Rule (CFR 32)

The CMMC Programmatic Rule (CFR 32) establishes CMMC as an official DoD program. Since its inception, CMMC has undergone several refinements to balance the need for robust cybersecurity with the practicalities of implementation across a diverse range of contractors. Several key milestones have marked the journey toward finalization:

  1. Public Comment and Initial Revisions: The initial public commentary phase, which concluded on February 26, 2024, gathered extensive feedback from industry stakeholders. This feedback highlighted the need for a scalable, cost-effective model for assessing contractor cybersecurity and played a critical role in shaping the final version of the rule.
  2. DoD Review and Adjudication of Public Comments: The DoD reviewed all submitted comments, analyzing feedback to determine the impact and relevance of the concerns raised. The DoD responded to significant comments, either by making adjustments to the proposed rule, providing clarifications or explaining why certain suggestions were not incorporated. After considering public input, the final rule was sent to the Office of Information and Regulatory Affairs (OIRA) for review prior to being published to the Federal Register on October 15, 2024.
  3. OIRA Review and Clearance: OIRA completed its review of the final rule on September 13, 2024. This review ensured that the rule aligns with Executive Order 12866, which requires significant regulatory actions to be consistent with federal guidelines. OIRA’s clearance signified that the rule had met all necessary regulatory standards, allowing it to advance to the next phase.
  4. Anticipated Finalization: Following OIRA clearance, the final rule went back to the DoD for a final QA review, formatting and DoD sign-out approval. After which, it was sent to the Office of the Federal Register (OFR), part of the National Archives and Records Administration (NARA), to be published to the Federal Register.

Structure and Requirements of the Final Rule

The finalized CMMC rule introduces a structured approach to assessing contractor compliance with cybersecurity standards. The rule outlines three levels of certification, each corresponding to the sensitivity of information handled:

  • Level 1: Basic safeguarding of FCI, focusing on foundational cybersecurity practices.
  • Level 2: Advanced and more enhanced protection for CUI, aligning with NIST SP 800-171 requirements, targeting contractors who handle more sensitive information.
  • Level 3: Expert level cybersecurity measures designed to protect against sophisticated threats, necessary for contractors dealing with highly sensitive information.

This tiered approach ensures that the CMMC framework is both scalable and adaptable, accommodating the diverse capabilities and resources of contractors within the DIB.

Implications for Defense Contractors

Now that the CMMC Programmatic Rule (CFR 32) has been published to the Federal Register, defense contractors must take immediate steps to ensure compliance. The published final rule will become effective 60 days from October 15, 2024, the date the rule was published to the Federal Register. This will allow C3PAOs to begin performing CMMC assessments without the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The following actions are recommended for all contractors within the defense supply chain:

  1. Evaluate Current Cybersecurity Practices: Contractors should conduct a thorough assessment of their existing cybersecurity posture to determine which CMMC level applies to their operations.
  2. Implement Necessary Cybersecurity Controls: Based on the applicable CMMC level, contractors must implement the required controls to meet certification standards. This may involve significant investment in technology, processes and personnel training.
  3. Develop Program Documentation: Contactors must develop certain required documentation supporting their CMMC program including a system security plan, shared responsibility matrix, incident response plan, and other supporting policies and procedures.
  4. Engage in Readiness Activities: Contractors should begin engaging with a qualified provider to schedule a gap or mock assessment to identify any potential deficiencies that could hinder certification.

Support and Guidance from Cherry Bekaert

Navigating CMMC compliance can be challenging. Cherry Bekaert offers tailored services to support organizations through every stage of the process. Whether you need a readiness assessment, gap analysis or help with achieving certification, our qualified team provides the guidance needed to meet CMMC standards and secure your position in the defense supply chain.

Conclusion

The finalization of the CMMC Programmatic Rule represents a significant advancement in the DoD’s efforts to safeguard FCI and CUI within the defense supply chain. The next step will be finalization of the CMMC Acquisition Rule (CFR 48) which will contractually enforce CMMC requirements upon contractors. Failure to comply with CMMC once enforceable could result in being barred from bidding or executing on DoD contracts.

As the rule moves closer to becoming enforced, it is imperative for all defense contractors to stay informed, prepare for certification and ensure compliance with these new cybersecurity requirements. The future of national security and defense contracting depends on the successful implementation of these standards, which will play a critical role in protecting the integrity and resilience of the Defense Industrial Base.

For more information on the CMMC rule and its implications, please refer to the below references [OIRA Review Details].

If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.

Related Insights

References

  1. https://www.reginfo.gov/public/do/eoDetails?rrid=589561 and [Regulatory Agenda]
  2. https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202404&RIN=0790-AL49
  3. https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
  4. https://cyberab.org/News-Events/Town-Halls — September 2024 Town Hall

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Kurt Manske

Information Assurance & Cybersecurity Leader

Partner, Cherry Bekaert Advisory LLC

Brian Kirk

Information Assurance & Cybersecurity

Sr. Manager, Cherry Bekaert Advisory LLC

Contributors

Connect With Us

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Kurt Manske

Information Assurance & Cybersecurity Leader

Partner, Cherry Bekaert Advisory LLC

Brian Kirk

Information Assurance & Cybersecurity

Sr. Manager, Cherry Bekaert Advisory LLC