In August, the U.S. Department of Defense (DoD) made key announcements about their Cybersecurity Maturity Model Certification (CMMC) program. In this issue of our newsletter, we:
Summarize what the DoD announced and the contractors affected,
Describe what contractors must do when bidding on DoD solicitations,
And detail productive tools to ready your organization.
Image: Shutterstock
What the DoD Announced
According to analert posted by the law firm of Duane Morris, “On August 15, 2024, the Department of Defense (DoD) published a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program through revisions, pursuant to Title 48 of the Code of Federal Regulations, to the Defense Federal Acquisition Regulation Supplement.”
“The proposed rule outlines howDoD will integrate the requirements for its CMMC program into the contracting process. Interested parties now have the opportunity to comment on the proposed rule, with DoD accepting comments through October 15, 2024.”
What Contractors Are Affected
The Duane Morris alert went on to say: “The proposed rule applies to all DoD contractors and subcontractors (through flow-down requirements) who process, store or transmit FCI (federal contract information) or CUI (controlled unclassified information). Prime contractors will be responsible for ensuring that subcontractors not only understand the CMMC compliance requirements, but also are satisfying the requirements for the prime contractor’s designated CMMC level.”
Image: Air & Space Forces Magazine
What Contractors Must Do
In a September 4 article published on Lexology, the law firm of Thompson Hine described the specific regulations that the DoD, contractors and assessors must follow:
“The proposed rule amends the DFARS regulations, and it requires contractors to demonstrate at the time of contract award, either through a current CMMC certificate or self-assessment, compliance with the CMMC level mandated in the solicitation.”
“Under the revised regulations, before awarding a contract or exercising an option, the agency must verify that the CMMC compliance results are posted in the Supplier Performance Risk System (SPRS) for each DoD unique identifier (UID)and that the apparently successful offeror affirms continuous compliance with the applicable security requirements.”
“The proposed rule includes a new DFARS clause that specifies that the agency must notify contractors of the CMMC level required by the solicitation.”
“The DFARS clause also specifies the proof of CMMC compliance that the offeror must post in SPRS:
offerors must post CMMC Level 1 and 2 self-assessments in SPRS;
third-party assessment organizations must post CMMC Level 2 certificate assessments in SPRS;
and the DOD assessor must post CMMC Level 3 certificate in SPRS.”
“The proposed rule further includes prescriptive DFARS language notifying apparently successful offerors that they will not be eligible for an award if they do not have the results of CMMC compliance posted in SPRS and do not affirm their continuous compliance with the applicable security requirements.”
Our Chief Operating Officer, Chris Gundel, encourages you to review the proposed rule thoroughly, and provide your comments or requests for clarifications to the DoD by October 15, 2024. Use Regulations.gov to submit those comments.
Chris also highlights that this proposed rule requires Cloud Service Providers (CSPs) to meet Federal Risk and Authorization Program (FedRAMP) Moderate equivalency.
Therefore, if you are an organization seeking certification (OSC), and you are using a Cloud Service Provider (CSP) within the scope of your CMMC environment, you must be 100% compliant at the FedRAMP Moderate level, as determined by a formal assessment by a FedRAMP CMMC Third-Party Assessor Organization (C3PAO).
The CSP must provide the OSC with a comprehensive body of evidence (BOE) and a client responsibility matrix (CRM).
It is expected that the DoD will release and publish a CMMC final rule in early to mid-2025.
Courses to Prepare Your Organization for CMMC
It’s time for your organization to do whatever is required to become compliant with CMMC 2.0. At the time of DoD contract award, the CMMC final rule requires contractors to demonstrate compliance with the specified CMMC level, through a current CMMC certificate, self-assessment, third-party assessment or DoD assessment.
Celerium’s CMMC Insights Courses provide training and insights on CMMC 2.0 and NIST 800-171 for contractors who need to comply with CMMC 2.0 Level 1 and 2 and NIST 800-171 standards and regulations.
Recently, we announced our enhanced CMMC Level 2 and NIST SP 800-171 Suppliers Course. This Insiders Edition of our course helps you prepare your organization for CMMC compliance assessments and NIST SP 800-171 audits.
Take a look at the many relevant features of our Insiders Edition course.
This enhanced course supplements Celerium’s CMMC Level 2 Insights Course with two comprehensive reference guides that cover the identical scope of knowledge and skills taught to CMMC Assessors. Specifically, these guides provide in-depth coverage of the assessment process from an assessor’s perspective, including details on planning, evidence collection methodologies, evaluation/validation criteria and scoring practices.
As a Member of our CMMC Academy, we invite you to take advantage of this results-oriented training course ...at a huge discount!
25% Discount for Academy Members
Use Code: CMMC25
How to Subscribe to Our Newsletter
Please forward our newsletter to other professionals you believe will benefit from timely information and updates on CMMC. They can subscribe by clicking here.
CMMC Academy Newsletter is published monthly by Celerium, Inc.
Celerium’s CMMC Academy, launched in January 2020, provides resources to help government contractors understand and navigate the CMMC requirements, including free videos and webinars.
Celerium is authorized by the CMMC Accreditation Body (CMMC AB) to create educational material for CMMC assessors via Celerium’s Licensed Partner Publisher (LPP) designation. Celerium also is authorized to deliver training to CMMC assessors via its Licensed Training Provider (LTP) designation. Additionally, Celerium is a Registered Provider Organization (RPO) with the CMMC AB.
The CMMC Academy’s International Alliance, which includes CenSec and the American Danish Business Council, brings together international organizations focused on facilitating the implementation of CMMC. Sponsors of the CMMC Academy include Bank of America and Citi Bank.
