The New CMMC Proposed Rule: What Manufacturers Need to Know Now
What are top the takeaways for manufacturers from the Defense Department’s (DoD) proposed rule for its Cybersecurity Maturity Model Certification (CMMC) program?
Increased accountability and flexibility are among the notable proposed additions to the program, which is aimed at heightening U.S. defense industrial base (DIB) cybersecurity, said Sam Moyer, the lead cybersecurity engineer at MxD. The DoD proposed rule also clarifies language from earlier CMMC versions, including about third-party certifications.
And there is added complexity, Moyer noted, including the recommended splitting of Level 2––the level that would affect most DIB contractors––and pulling external service providers under the CMMC umbrella.
This CMMC version is not final yet. Now in its 60-day comment period, the proposed CMMC rule is not expected to become final until late this year or early next year. As it released the long-awaited proposal, the DoD said the revamped program has been crafted to ensure that defense contractors and subcontractors are complying with requirements to protect federal contract information (FCI) and controlled unclassified information (CUI). Once CMMC is approved, such compliance will be required to win or extend DoD contracts.
Proposed CMMC Rule Has Three Levels
Level 1 covers contractors that work only with FCI. They would have to implement the 15 security controls outlined in FAR 52.204-21 and do an annual self-assessment, registering it in the Supplier Performance Risk System (SPRS).
Level 2, which would be for the majority of DIB contractors, would be split. A small group of Level 2 contractors would do self-assessments like those required in Level 1, with that group defined per individual DoD contracts. The majority of companies handling CUI would be subject to third-party assessments every three years. These would be done by a Certified Third-Party Assessment Organization (C3PAO) and submitted on companies’ behalf through the eMASS system, which would then get the information into SPRS. To achieve Level 2, contractors would have to implement the 110 security controls in the National Institute of Standards and Technology’s (NIST) SP 800-171 Revision 2.
Level 3 would be for the biggest defense contractors, and DoD assessors would do their certification assessment. Contractors at this level would have to implement all of the Level 2 requirements plus 24 selected controls from NIST SP 800-172.
The DoD already requires companies that handle CUI to comply with NIST SP 800-171. But gaps persist in checking that compliance; at the same time, manufacturers have become the top target for cybercriminals.
NIST Requirements Remain in Force
Once approved, any new CMMC requirements are expected to be phased in over three years, and the DoD forecasts that it will take two years for companies with existing contracts to become CMMC certified. Until contracts with CMMC requirements are issued, much remains up in the air. But, Moyer cautioned, existing g DoD NIST requirements “don’t just go away because CMMC isn’t figured out. Those are things manufacturers in the DIB are supposed to be doing now.”
The proposed rule beefs up accountability. One of the biggest things to note in the proposed rule, Moyer said, is that all three CMMC levels would require a signed affirmation from a senior company official that assessments are accurate and requirements have been met. Level 1 contractors would register that affirmation annually in SPRS along with their self-assessments. For Levels 2 and 3, the affirmation would be needed after each assessment.
“It would no longer be enough to say you’ve done it,” Moyer said. “A company official would have to attest to it.”
Additionally, it’s not just prime contractors that would have to be certified. Requirements for the CMMC level in a contract would likely trickle down to the subcontractors. External service providers, including some cloud service providers that provide more than just cloud hosting services, would be affected, too, having to comply with certification that is equal or greater to the contractor that hired them.
Another big proposed change in accountability, Moyer said, is that the primes would be under more pressure to ensure that all of their subcontractors had submitted affirmation letters attesting that they were meeting all requirements.
What Else Can Manufacturers Expect?
One plus for contractors that Moyer highlighted is that if the proposed rule is finalized as written, some Level 2 and 3 requirements not fully implemented at the time of an assessment could qualify for a Plan of Action and Milestones (POA&M).
“That’s a good thing,” he said. “This is a process, and things are always changing. So, a contractor may go into an assessment thinking they have stuff hammered down, but an assessor finds that the control is not really being met. They now have 180 days to fix it.”
Overall, Moyer said, this proposed version of CMMC is “definitely helpful to get everyone on a baseline and help them understand that their network or their connected device brings in a whole new threat landscape to DIB supply chains.
“Cybersecurity is no longer just about manufacturers protecting their facility or protecting their intellectual property. Production could get shut down. Or they could impact other companies farther up the chain,” he added. “This new proposed rule takes us in the right direction for what needs to get done.”