CMMC - Finally. Kind of.

On October 11^th, the portion of CMMC in Part 32 of the CFR was released for public inspection.  We anticipate publication in the federal register today, October 15^th.  So in the long running saga of CMMC, what does this mean?

We won’t rehash the history here, but the structure of the program is important.

The portion of CMMC in Part 32 deals with the how the program operates.  From the summary, “The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance.”

In brief, the program will require DOD (and at this time, only DOD), solicitations to have a CMMC level and assessment type requirement that establish a cybersecurity floor for award eligibility.  There will be four levels*:

• Level 1 includes the 15 security controls currently required by FAR clause 52.204-21 and a self-assessment.
• Level 2 includes the 110 security controls currently required by DFARS clause 252.204-7012 and a self-assessment.
• Level 3 (confusingly, labeled Level 2 in the documentation) includes the 110 security controls currently required by DFARS clause 252.204-7012 and a third-party assessment.
• Level 4 includes the 110 security controls required by DFARS clause 252.204-7012, an additional 24 controls from NIST SP 800-172, and a DIBCAC assessment.

There are a lot more moving parts, of course; the rule is 470 pages long.  One thing worth mentioning that we see a lot of (expensive) misinformation on:  the rules apply to systems, not contractors.  The rule summary states: “OSAs must first identify which information systems . . . will process, store, or transmit [certain information].  These information systems constitute the scope of the assessment.”

The other main portion of CMMC is not final yet-the portions that will establish the DFARS clauses that impose CMMC on contractors.  Currently, the Pentagon anticipates that rule publication in mid-2025.  Once that rule is final, CMMC will be included in solicitations and contracts.

We will follow-up with important points about CMMC, but the key thing to know right now is that there is lots of misinformation circulating, and there are lots of bad actors taking advantage of that misinformation.  It is important that you understand your actual obligations so that you can take steps to meet them, but also not waste significant resources chasing compliance that isn’t needed.

*I’m using “level” in a different manner than the regulation; technically, there are only three levels in the regulation.  However, there are two sublevels within Level 2, which the regulation refers to as “statuses.”  My use of “level” is equivalent to “status” in the regulation.  I’ve made the substitution because a “status” is a description of where you are at, and I’ve found its use in the manner of the regulation to be confusing.