This Is An Alert:
News About CMMCRegardless of your current status regarding CMMC, it is time for action. We will help you understand your gaps and make a plan to achieve certification
The link to the 234 pages of proposed rules is below: .
Although we have already posted a blog about the proposed rules, this blog is focused on what our clients and friends will likely really want to know. Even if cybersecurity isn’t an absolute regulatory requirement for your business, it is worth understanding how serious the cyber threats are to the federal government and to all of our private sector businesses.
The proposed rules eat up 234 pages of the Federal Register from Dec. 26th so we have identified several specific items for you to consider.
The FIRST item is that the rules are being applied across the whole of the Defense Industrial Base; regardless of the size of your organization. What matters is the data – the requirements for the level of compliance vary depending on the data you will be or are handling.
Understanding your data flow is of paramount importance whether it is how you are and will be operating or you want to pursue more opportunities from DoD, how your data flows sets up everything else. You can limit the scope of your environment for CMMC purposes (see our blog entries about Enclaves)or you can shore up areas that are a bit too loosy goosy based on the flow before conducting an assessment.
The SECOND area we want to point out is to those of you that are MSPs or MSSPs or use them (almost all of you) – there are new rules proposed in this area. As you likely already know, if you use a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) for anything to do with your IT system, you are using what the rules term an ESP (External Service Provider) and you are “inheriting” controls from them. Therefore, you need to worry about your own operation and the ESPs’. New in this version: the rules require ESPs to have the same level certification as you do.
Thus, if you use an ESP, you will need to require that your MSP is meeting the CMMC level you have to meet in your contract for the DoD with evidence that they are. The flaw? An ESP does not typically have a direct DoD contract, rather it is a flow down requirement. If you are an MSP, as we’ve has been saying for some time now (see the MSP White Paper , “A CMMC Niche for MSPs ” under the resource tab on our website), we believe there is a HUGE opportunity for ESPs that can get to a CMMC Level 2 (L2) readiness position. Although the mechanism is not specified as to how you would be certified, our guess is that you will be allowed to self-assess (allowed for a small number of organizations) until such time as there are enough assessors to get to you. (NOTE: just a guess!)
If you use an ESP (including Cloud Service Providers – Microsoft and Google are examples), your contracting vehicle will almost certainly need to be modified or perhaps formalized to require that the ESP meets the CMMC level you specify (likely L2). You will need audit rights and the ability to request copies of certifications and audits too. You will also need to specify in your contract that it needs to assist you in the event you are audited or assessed.
Number THREE is that new scoping and assessment guidelines were released, also on Dec. 26, 2023. Although the bulk of the documents (i.e., controls) remain the same, there are some changes and updating that have been made in the introductory and conclusion sections that shoud be examined. For example, one concerning item comes from the Level 2 Scoping Guidance ( Link for all the documents is here: document that states an OSC (Organization Seeking Certification) that will have contracts from DoD that handle different data, i.e., one is for FCI and others are for CUI, will need to have 2 assessments. It states that the Level 2 (L2) assessment performed by a C3PAO or DIBCAC is different from what is required in an Level 1 (L1) assessment so that an L2 assessment is not considered adequate. (That is crazy in our view!)
FINALLY, proposed rule making is not yet complete. The proposed rules we’ve been discussing are from 32CFR Part 170. The fact that the CMMC program rules emanate from 32 CFR is significant as this makes the CMMC Program a formal program of the US Government. The earlier iterations were focused on CMMC as part of the procurement requirements under DFARS. Now it is both, although the rules from 48CFR are only expected to be released for public comment in March 2024. Following that public comment period and then review, both parts will go into effect at the same time. Once the program is in effect, the initial L1 assessments are required in the first 6 months. Phase 2 of 4 phases for the CMMC roll out begins in month 7 and initiates requirements for L2 and continue over the next 2 years. The whole program is expected to be rolled out within 2.5 years.
We could keep going forever about our initial impressions and items we think need to be addressed going forward. However, the most important thing is for anyone sitting on the fence or still believing these will never be enforced for my company – now that the rules are published, it is real!!
By now, we have lots of experience working on this framework with many of you and through all the training we have done. We will help you map out the next steps and get you going to be ready to be assessed. The sooner you have everything in place, the sooner you may be certified.
Write, call or set up a meeting with us to assess where you are now and what needs to be done next. If we do a pre-assessment and find you are in good shape, let us help you set up your formal assessment. [Unfortuantely, while some CMMC assesors – C3PAOs – are up and running and there are more in the pipeline, there aren’t enough to assess everyone who wants to be certified. Getting in line sooner rather than later is in your best interest – just keep up the monitoring and gathering evidence!!]
Send a message to comply@3comply.com, call us at 401.252.1800