The Cybersecurity Maturity Model Certification, or CMMC, has been a long time coming. It was first developed in 2019, primarily as a way for defense contractors for the Department of Defense to switch from self-attestation to a validated certification. CMMC 1.0 has been in effect since 2020, but there has been a lot of feedback regarding the complexity and clarity of the system, leading to the development of CMMC 2.0.
CMMC 2.0 was first released in 2021, as an upgrade and a framework available for feedback. It has been several years since, but on October 15, 2024, the Final Rule was published into the Federal Register. The rule will become fully effective December 16, 2024.
What does all of this mean? What are the upcoming changes, and what do you need to know?
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontThe Cybersecurity Maturity Model Certification (CMMC) 2.0, effective December 16, 2024, introduces new guidelines for defense contractors, replacing self-attestation with validated certification. Changes include extended timelines, exemptions for some service providers, and new appeal limitations. Small and foreign businesses must comply equally. Certification costs vary significantly by level. Ignyte offers tools and C3PAO services to assist organizations in achieving compliance. The updated rules aim to enhance security across the Defense Industrial Base.
What is the Final Rule?
The Final Rule for CMMC 2.0 is the finished product of the development of CMMC, having taken the CMMC 1.0 framework and made many adjustments according to evolving best practices, the state of cybersecurity globally, and feedback from those affected by the framework. Many changes have been made from CMMC 1.0.
In broad strokes, most of CMMC 2.0 has been available for several years. The iterative changes made to it over the past couple of years have been made to small elements of the rule, or to elements of the timeline that defense contractors will need to adhere to in order to achieve or maintain certification, and thus maintain or acquire contracts with the Department of Defense.
The publishing of the Final Rule is a crystallization and finalization of the state of CMMC 2.0. The time for public feedback is over; now, the real work begins. CMMC 2.0 has been released, and it’s time to figure out what you need to do to achieve certification.
If you want to read the Final Rule for yourself, you can find it in the Code of Federal Regulations (CFR), also known as the Federal Register. The full text can be found here. Be warned, however, that this document is extremely long and dense. The printable PDF version is some 146 pages of text packed margin to margin.
That’s why we’re here to help distill down the most important changes, after all. That said, you’re free to read it yourself; in fact, it’s likely a good idea to have the people most responsible for your organization’s cybersecurity give it a once-over and talk with experts directly to see what is most relevant to your firm.
The Rollout Timeline
First, and one of the potentially most important elements of the Final Rule, is the timeline. Fortunately, this is one area where public feedback had a positive effect. The timeline has been extended in the Final Rule, compared to the previous iterations of the program.
Phase One: Beginning at the date of final implementation, December 16, 2024, CMMC requirements will begin to be included in contracts within the Defense Industrial Base. Specifically, this will occur in contracts with CMMC Level 1 and CMMC Level 2 self-assessed organizations. This phase lasts one year, which is an improvement from before when it only lasted six months.
After this phase, two more one-year phases will occur, wherein CMMC requirements will expand to include contracts at CMMC Level 2 that required third-party certification, and then contracts that required CMMC Level 3 certification.
By the fourth year, CMMC 2.0 will be fully required. By the end of that fourth phase, full implementation is expected.
Accelerated Timelines
Under the Final Rule, phase one simply requires self-attestation, and a C3PAO assessment is only required starting at phase two. However, the DoD can choose to accelerate adoption for certain contractors (likely those with sensitive information or projects). Under this accelerated timeline, those organizations would be required to achieve a C3PAO certification in phase one.
This will likely apply primarily to prime contractors and less so to subcontractors and will center around the most sensitive types of information. It’s not expected to affect a significant number of contractors, and those likely to be affected will have a good idea that they’ll be in that category, but it’s still good to be prepared, just in case.
The ESP Exemption
Another beneficial change is regarding Cloud Service Providers who work with defense contractors, but who themselves do not process, store, or handle CUI.
A big part of CMMC is the flow-down of requirements. If the Department of Defense has a project where they want to work with a contractor at Level 2 requirements, and that contractor has other contractors that work with them, those contractors would also need to be certified. The requirements trickle down to any external service provider.
The change made in the Final Rule is to lighten the load. Formerly, any contractor working with a company that held a DoD contract would need to achieve the same level of CMMC certification as their partner. Now, if the ESP does not handle CUI, they are exempt from the CMMC rule. This mirrors FedRAMP requirements that exempt them from needing to follow DFARS 252.204-7012.
Many cloud service providers have breathed a sigh of relief at this.
The Limitation on Appeals
After phase one, phase two and beyond will require that a Certified Third-Party Assessment Organization, or C3PAO, perform an assessment to validate the implementation of security controls throughout the organization and issue a determination to pass or fail the assessment.
If the organization being assessed disagrees with the C3PAO, they have the right to appeal within the C3PAO. If the C3PAO reaffirms their determination and the organization still disagrees, they can escalate and raise an appeal with the Accreditation Body.
In the Final Rule, this is where appeals stop. The Accreditation Body has the final word as it currently stands. There is no extant avenue to appeal their decision with the Department of Defense.
There will likely be court challenges in the next few years as disagreements arise. How these will play out is anyone’s guess at this point.
Treading Familiar Ground with NIST
Another important note with CMMC 2.0 is that, as it stands, they use NIST SP 800-171 Revision 2 as their baseline. NIST has been working on Revision 3 of this publication for some time, and released their final version in May of 2024. However, as things stand, CMMC will rely on Revision 2 rather than the newer, changed requirements found in Revision 3.
It’s likely that changes will be made in the future to implement Revision 3, but for now, Revision 2 is the rule you’ll need to follow.
The Use of POA&Ms
One of the elements of flexibility in a complex cybersecurity atmosphere is the POA&M or the Plan of Action and Milestones document. POA&Ms are a stopgap measure; if your organization is seeking CMMC 2.0 level 2 or level 3 certification but you don’t quite meet all of the requirements, one of two things can happen. Either the gaps in your implementation are severe enough that you lose your contract until you can fill them, or the gaps are minor enough that you are allowed to use a POA&M.
POA&Ms allow you to identify the controls that are not yet fully implemented and develop a timeline for implementing them, along with a designated individual whose responsibility is to ensure that implementation. While a POA&M is in effect, you can still work with your existing contract and only risk losing it if you fail to achieve full certification by the timeline in the POA&M.
You can read more about POA&Ms and how they relate to CMMC compliance in our guide here.
The Burden on Small Businesses
Previously, when an organization is small enough, they were frequently able to slip through the cracks by taking advantage of loopholes, self-attestation, and other low-visibility or low-oversight situations. While this allowed those small businesses to operate with light requirements, it also has proven to be a significant vulnerability to the Defense Industrial Base. It doesn’t matter if a business is small or large; a compromise of CUI is a compromise of CUI.
With the Final Rule, the DoD has explicitly and repeatedly referenced small businesses specifically and reiterated that they are required to adhere to CMMC rules just like any other business. While objections have been raised due to the cost of achieving that certification, the DoD has little sympathy; being “just a little guy” is not a defense against foreign attack, and a vulnerability is a vulnerability.
The truth is, if a small business can’t handle achieving and maintaining a security certification, it shouldn’t be working in a position within the Defense Industrial Base that requires that certification. If they don’t handle CUI at all, they may be able to take advantage of the previously-mentioned exemption for ESPs, but otherwise, it’s clear: either achieve certification or don’t aim for contracts that require it.
The Standard for Foreign Businesses
Another new element of CMMC 2.0 in the Final Rule is that foreign companies that want to be part of the overall Defense Industrial Base will now need to adhere to CMMC 2.0 just like their US counterparts. Simply achieving ISO 27001 certification is not enough, even if they broadly overlap.
In a statement, the Final Rule states that the program rule “does not permit partial exemption of assessment requirements for foreign contractors.” CMMC 2.0 requirements will apply to both domestic and international prime contractors and flow down through the supply chain until they reach a point where CUI stops.
Think of it this way: CMMC protects information, regardless of who holds that information.
The Cost of Certification
One of the biggest concerns surrounding CMMC 2.0 – and not just for small businesses – is the cost of achieving a certification.
Many things go into this certification. Engineering costs, both recurring and one-time, as well as assessment costs, are just the start. Consulting costs, the costs of preparing an audit documentation package, the application, the audit itself, the cost of hiring people internally to manage all of this, and more, all build up.
The level you seek to achieve will also significantly impact the cost of succeeding.
Estimates of the specific costs vary. Many place the cost of a level 1 self-assessment in phase one costing around $5,000, with additional affirmations running a similar cost each year. Level 2 is more, with self-assessments around $40,000, and full C3PAO assessments as much as $100,000. For level 3, it can be even higher.
One saving grace is that a lot of these costs are one-time costs. Performing a complete assessment internally, identifying the gap between your current implementation and your goal, and putting in the work to achieve that implementation, is costly. Maintaining that position and recertifying every few years is a comparatively smaller cost.
Letting Ignyte Help
At Ignyte, we can help you achieve CMMC certification in several ways.
First, our informational blog is an excellent resource for various cybersecurity and information security topics. We write about many different aspects of these topics, and if you have specific questions, you can ask them in the comments or reach out to us directly.
Second, the Ignyte Platform was designed as a centralized, non-siloed tool you can use to accumulate paperwork, documentation, information, and results necessary to build up your compliance. It doesn’t do the work for you, of course, but it can help you keep track of what is being worked on and what has been done so you don’t lose time and effort on miscommunications, out-of-date documentation, and conflicts of information. You can book a demo of the Ignyte Assurance Platform quickly and easily to see what it can do for you.
Third, Ignyte is itself a C3PAO. If you’re seeking certification when phase two rolls around or if you’re part of the accelerated batch in phase one, we may be able to work with you to perform your assessment and help you achieve certification.
All of that said, now that the CMMC 2.0 Final Rule has been published, everything is about to kick into high gear. Consultants, assessment schedules, applications, and more are expected to fill up quickly, so act fast to make sure you have a place in line.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.