Key Takeaways
- Rule Effective Date: The CMMC program final rule was officially published on October 15, 2024, and became effective shortly thereafter on December 16, 2024, establishing a firm deadline for organizations to transition to the CMMC 2.0 requirements.
- Protection Standards Mandated: The CMMC 2.0 framework is designed to ensure defense contractors protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by aligning requirements with Federal Acquisition Regulation (FAR) clause 52.204-21 and the NIST SP 800-171 Rev 2 standard.
- Verification Varies by Data Sensitivity: Compliance verification scales with the risk: FCI handling requires a self-assessment of 15 security requirements, whereas CUI handling necessitates a formal verification conducted by a Certified Third-Party Assessor Organization (C3PAO).
Addressing Cybersecurity Threats with CMMC
On October 15, 2024, the U.S. Department of Defense (DoD) published the final Cybersecurity Maturity Model Certification (CMMC) program rule in the Federal Register. The CMMC framework is designed to ensure that defense contractors are effectively protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The DoD has introduced the CMMC 2.0 framework to ensure that information is safeguarded at a level that corresponds to the risks posed by cybersecurity threats.
The final rule aligns the CMMC program with the cybersecurity requirements established in Federal Acquisition Regulation part 52.204-21 and the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2. It also specifies the 24 NIST SP 800-172 requirements necessary for CMMC Level 3 certification.
Organizations handling FCI will be required self-assess that FCI is processed, stored or transmitted securely while fulfilling the contract. Organizations will be required to comply with the 15 security requirements set by FAR clause 52.204-21. All 15 requirements must be met in full.
Speak to a Compliance Specialist.
Addressing Cybersecurity Threats with CMMC
Organizations handling CUI will be required to complete a level 2 assessment, conducted by a Certified Third-Party Assessor Organization (C3PAO), to verify compliance with the 110 security requirements of NIST SP 800-171 R2. The CMMC program includes Plans of Action and Milestones (POA&Ms). These plans allow organizations to receive conditional certification for 180 days while they work toward meeting NIST standards for specific requirements outlined in the rule.
Organizations handling CUI for the DoD’s most critical programs are required to complete a level 2 assessment, conducted by a C3PAO. In addition to obtaining a level 2 CMMC certification, the organizations are also required to undergo a government assessment, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), to verify compliance with the 24 additional requirements derived from NIST SP 800-172. The CMMC program includes Plans of Action and Milestones (POA&Ms). These plans allow organizations to receive conditional certification for 180 days while they work toward meeting NIST standards for specific requirements outlined in the rule.
Choose Auditwerx for CMMC Readiness
The CMMC program rule is effective December 16, 2024. Getting a head start on meeting CMMC requirements can help ensure a seamless transition to CMMC 2.0. Auditwerx is a candidate C3PAO offering CMMC Readiness solutions, contact us today.
FAQs
The final rule, published by the U.S. Department of Defense (DoD) on October 15, 2024, became formally effective on December 16, 2024.
The CMMC framework is designed to ensure that defense contractors effectively protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Organizations handling FCI are required to self-assess their security and must comply with the 15 security requirements set forth by FAR clause 52.204-21. All 15 requirements must be met in full.
A candidate C3PAO like Auditwerx can assist you with the readiness process to ensure your organization is fully prepared.
Organizations handling CUI are required to comply with the 110 security requirements of the NIST SP 800-171 R2 standard, which corresponds to a Level 2 assessment.
These organizations must complete a Level 2 compliance verification by a C3PAO and also undergo a separate government assessment, which includes an additional 24 requirements derived from NIST SP 800-172.
The CMMC program includes Plans of Action and Milestones (POA&Ms), which allow organizations to receive a conditional certification for up to 180 days while they work to meet NIST standards for specific outstanding requirements.
About the Author
