The CMMC Proposed Rule and Expectations in 2024

In December 2023, the Department of Defense announced its new Proposed Rules for CMMC. This release comes two years after their initial proposal for CMMC 2.0 as a framework. 

Many of CMMC’s expected requirements are coming to pass, and the DoD is looking to finalize and aggressively roll out the program over the next three years. 

Learn more about this next phase in CMMC implementation and what it might mean for your organization.

 

What Is CMMC 2.0?

CMMC 2.0 is a revision of the original 1.0 specification intended to streamline and bolster model aspects based on initial engagement and feedback from organizations and stakeholders. The CMMC framework assures that contractors have a consistent and appropriate model for their security, abide by reasonable and mature cybersecurity practices and processes, and maintain those standards over time.

In a broad sense, version 2.0 was designed to ease contractors’ certification paths, lower costs for small and medium enterprises, and raise visibility and access to cybersecurity requirements. 

Major updates in CMMC 2.0 include:

  • Maturity Level Simplification: The initial five levels were reduced to simplify the framework. This simplified compliance expectations and removed unnecessary “gap” maturity levels–the original Levels 2 and 4 were generally seen as preparatory phases between an organization’s ability to handle CUI and its ability to handle Advanced Persistent Threats (APTs). 
  • Assessment Prioritization: Under CMMC 2.0, third-party assessments will be mandatory for companies at Levels 3 and most at Level 2; companies at Level 1 can perform self-assessments, significantly reducing the compliance barrier for small businesses with less sensitive information.
  • POA&M (Plan of Action and Milestones): This enables organizations with non-compliant systems to finalize certification later, provided they devise a plan (POA&M) to remedy the issues. This compliance aspect is present in other frameworks, like FedRAMP, but was only introduced as a possibility for CMMC in the second version. 

With CMMC 2.0, the certification process is more light-filled and manageable for the small businesses it serves.

 

Why Are We Just Getting a Proposed Rule Now?

In November 2021, the DoD rescinded the initial CMMC framework (retroactively known as “CMMC 1.0”) and proposed the next version, 2.0. 

Over the next two years, this new version was seen as the necessary revision to the framework and the foundation upon which CMMC would ultimately rest. As such, the rules outlined here will begin to enter federal DiB contracts over the next three years.  

 

What Can We Expect From the Proposed Rule?

CMMC 2.0 proposed rule

Now that the Proposed Rule has been published, we can get more insight into how the CMMC sees this program rolling out and the finer points of some of the changes. 

These finer points include:

    • Assessment Split: While Level 2 has specifications for both self- and third-party assessments, the assumption is that most will fall under the latter category. It’s important not to assume your organization can get by without engaging with a C3PAO. The Proposed Rule offers estimates of how they expect assessment types to break down:
Assessment Level Small Other than Small Total
Level 1 Self-Assessment 103,010 36,191 139,201
Level 2 Self-Assessment 2,961 1,039 4,000
Level 2 Certification Assessment 56,689

19,909

76,598
Level 3 Certification Assessment 1,327 160 1,487
Totals 163,987 57,299 221,286

 

  • Timing for Assessments: Any organization conducting self-assessments (at Levels 1 and 2) will be expected to start as soon as the rule is implemented, followed by a phased rollout. Due to the short preparation time and the limited number of third-party assessment organizations (C3PAOs), there could be a significant bottleneck.
  • Plan of Actions and Milestones: While POA&Ms are now allowed, they only apply to specific controls in NIST 800-171 and 800-172. Any POA&M must be completed within 180 days.
  • Compliance Officer Affirmation: Contractors must affirm assessments after each assessment (including after completion of POA&M) and then annually. These affirmations must be submitted and verified by the senior person responsible for compliance within the organization.

What Are the Phases of CMMC Rollout?

The DoD plans to roll out the CMMC framework over 30+ months, with an ever-expanding set of requirements for higher-security organizations. 

Note that there are separate requirement rollouts for new contracts, and the DoD is exercising existing options for additional products and services, which are noted where relevant.

  • Phase 1: This phase begins immediately after the CMMC rules are implemented and covers Level 1 and Level 2 self-assessments. Organizations in this category must complete self-assessments for any contracts released after implementation.
  • Phase 2: Beginning six months after the beginning of Phase 1, relevant contracts will now include requirements for Level 2 Certification (third-party) Assessments. There are potential cases for postponing this requirement, and there could be some overlap with including Level 3 requirements.
  • Phase 3: This phase starts one year after Phase 2 and includes requirements for both Level 2 and Level 3 Certification Assessments for both contracts and exercising option periods.
  • Phase 4: Full implementation of CMMC requirements across all DoD contracts and options.

 

It’s Time to Get Ready for CMMC with Lazarus Alliance

With the new rule published and comments closed, there’s no more wiggle room for approaching CMMC compliance. And with the long lead times and relatively limited number of C3PAOs out there, waiting could cost your organization time and money it doesn’t need to lose. 

If you’re looking to kickstart your assessment, contact Lazarus Alliance.

[wpforms id=”137574″]