On October 15, 2024, the Cybersecurity Maturity Model Certification (CMMC) Rule (titled 32 CFR) was published in the Federal Register as a final rule, officially establishing the CMMC program as the Department of Defense (DoD) program for protecting Controlled Unclassified Information (CUI) and sensitive contract information across the Defense Industrial Base.1
As expected, the 32 CFR rule defines the roles and structure of the CMMC ecosystem, establishes a tiered certification structure, and outlines the process for achieving and maintaining the certification at each level. While there are a few changes to interpretation and logistics of the CMMC program, there aren’t significant deviations from the proposed rule that was released last December.
Below is an overview of key aspects of the 32 CFR rule.
- It Establishes the CMMC Program, Ecosystem of Assessors, & Approach to Achieving CMMC Certification. The CMMC program is fully established, vesting responsibility into the private Cyber AB as the authority for credentialing CMMC 3rd Party Assessment Organizations (C3PAOs)—like Forvis Mazars—as well as the Certification Assessment Process (CAP) that assessors will follow to assess compliance.
- Joint Surveillance Voluntary Assessments (JSVAs) Convert to CMMC Level 2 Certifications. Assessments that were performed under the JSVA program with Defense Contract Management Agency (DCMA) will convert to Level 2 certifications with a standard three-year lifecycle, effective from the completion date of the assessment.
- The JSVA Program Is Now Retired. DCMA has indicated that no more JSVAs will be scheduled through the rest of the year. Contractors needing a CMMC Level 2 certification will need to engage with a C3PAO directly to schedule and conduct the assessment. These are likely to begin at the end of 2024 or early 2025.
- Revision 2 of NIST 800-171 Lives On … For Now. The aging version of the NIST 800-171 will continue to be used as the basis for CMMC assessments and certification at Level 2. Though Revision 3 has been released, DoD has not incorporated the newer requirements into the CMMC program, but could in the future, using a class deviation from the rule.
- CMMC Certifications Are Required Every Three Years. As expected, CMMC certifications at Levels 1 and 2 carry a three-year life cycle. For Level 2 certifications, the “off years” (two and three) will necessitate the contractor to “affirm” that they remain compliant will all requirements of their CMMC certification, including compliance with NIST 800-171 Rev. 2.
- Phased Rollout Timeline Has Been Extended. The initial rollout of the third-party assessor requirement was expected to begin six months after publication. That has been extended to twelve months, allowing contractors additional time to complete the assessment, while also reducing stress on the C3PAO ecosystem, which will be limited at rollout.
- Managed Service Providers (MSPs) May No Longer Be Required to Obtain a CMMC Certification. Where MSPs have no direct access to CUI, a CMMC certification matching that of their customer will no longer be required. Instead, MSPs can provide a Shared Responsibility Matrix and be included in the scope of their customer’s CMMC assessment. External service and cloud service providers who do transmit, process, or store CUI on behalf of a contractor will still be required to achieve the requisite certification level.
- Endpoints Accessing Virtual Desktop Infrastructure (VDIs) From Outside the CUI Boundary May Not Be in Scope: Organizations using endpoints to access virtual desktops from outside environments where CUI is stored finally have clarity on the inclusion of those endpoints. The final rule indicates that, if proper boundary segmentation requirements are met, those external endpoints are not in scope for the NIST 800-171 requirements.
What’s Next?
CMMC Certification Assessments Can Now Begin
Once the final rule goes into effect on December 15, 2024, the community of authorized C3PAOs will begin completing CMMC Level 2 certification assessments. Contractors can now directly engage with an authorized C3PAO—like Forvis Mazars—to begin planning a CMMC Level 2 Assessment if it’s required for the performance of their DoD contract.
The Forthcoming 48 CFR Rule Will Integrate CMMC Into DoD RFPs & Contracts
While the Final 32 CFR Rule establishes the CMMC program and its rollout, a second rule will authorize DoD contracting officers and programs to integrate the CMMC certification requirement into their contracts as a condition of contract award. This rule is expected to be published in late Q1 2025 and will be immediately incorporated into a selection of DoD RFPs.
Look for significant thought leadership content over the coming months as the CMMC program is fully rolled out. If you have any questions, please contact a Forvis Mazars professional or Tom Tollerton, leader of the firm’s CMMC Solutions Group.
- 1“Cybersecurity Maturity Model Certification (CMMC) Program Final Rule,” federalregister.gov, October 15, 2024.