On October 15, 2024, the U.S. Department of Defense (DoD) published the final Cybersecurity Maturity Model Certification (CMMC) program rule in the Federal Register. The CMMC framework is designed to ensure that defense contractors are effectively protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The DoD has introduced the CMMC 2.0 framework to ensure that information is safeguarded at a level that corresponds to the risks posed by cybersecurity threats.
The final rule aligns the CMMC program with the cybersecurity requirements established in Federal Acquisition Regulation part 52.204-21 and the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2. It also specifies the 24 NIST SP 800-172 requirements necessary for CMMC Level 3 certification.
Organizations handling FCI will be required self-assess that FCI is processed, stored or transmitted securely while fulfilling the contract. Organizations will be required to comply with the 15 security requirements set by FAR clause 52.204-21. All 15 requirements must be met in full.
Organizations handling CUI will be required to complete a level 2 assessment, conducted by a Certified Third-Party Assessor Organization (C3PAO), to verify compliance with the 110 security requirements of NIST SP 800-171 R2. The CMMC program includes Plans of Action and Milestones (POA&Ms). These plans allow organizations to receive conditional certification for 180 days while they work toward meeting NIST standards for specific requirements outlined in the rule.
Organizations handling CUI for the DoD’s most critical programs are required to complete a level 2 assessment, conducted by a C3PAO. In addition to obtaining a level 2 CMMC certification, the organizations are also required to undergo a government assessment, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), to verify compliance with the 24 additional requirements derived from NIST SP 800-172. The CMMC program includes Plans of Action and Milestones (POA&Ms). These plans allow organizations to receive conditional certification for 180 days while they work toward meeting NIST standards for specific requirements outlined in the rule.
The CMMC program rule is effective December 16, 2024. Getting a head start on meeting CMMC requirements can help ensure a seamless transition to CMMC 2.0. Auditwerx is a candidate C3PAO offering CMMC Readiness solutions.
