In case you were wrapped up in your holiday plans (as you should be!) and didn’t hear, the CMMC Proposed Rule was officially published on the Federal Register on December 26, 2023. The immediate next step is the public open comment period, which ends on February 26, 2024. What does this mean to the organizations that make up the Defense Industrial Base (DIB)? Quite a bit. We’ll release more detailed commentary over the coming months, but here we’ll cover the two most important points.
CMMC Proposed Rule Means CMMC is Happening
Yes, there have been plenty of delays and hiccups along the way, but the fact now stands: Organizations that do work with the DoD will be required to meet one of the three levels of CMMC in two years.
As described in the CMMC Proposed Rule released last Friday, the following section describes how CMMC applies to organizations and will be implemented in a phased approach:
Section 170.3 identifies entities to which the rule applies and how the Department intends to implement the rule. The rule applies to defense contractors and subcontractors that will process, store, or transmit FCI or CUI, and private-sector businesses or other entities that are specified in Subpart C. Government information systems that are operated by contractors and subcontractors in support of the Government do not apply to this rule. CMMC Program requirements apply to DoD solicitations and contracts requiring defense contractors and subcontractors to process, store, or transmit FCI or CUI. Exceptions to the applicability of this rule are addressed in § 170.3(c)(1) and (2). Department Program Managers or requiring activities will determine which CMMC Level will apply to a contract or procurement. Applicability of the CMMC Level to subcontractors is addressed in § 170.23.
Section 170.3 addresses the four-phased implementation plan of the CMMC Program requirements in solicitations and contracts. Phase 1 begins on the effective date of the CMMC revision to DFARS 252.204-7021. More information regarding Phase 1 can be found in § 170.3(e)(1). Phase 2 begins six months after the start date of Phase 1. More information regarding Phase 2 can be found in § 170.3(e)(2). Phase 3 begins one calendar year after the start date of Phase 2. More information regarding Phase 3 can be found in § 170.3(e)(3). Phase 4, or full implementation, begins one calendar year after the start date of Phase 3. More information regarding Phase 4 can be found in § 170.3(e)(4).
CMMC Requirements Have Not Changed
As referenced in the CMMC Proposed Rule:
The CMMC Program verifies implementation of security requirements in FAR 52.204-21, NIST SP 800-171 Rev 2, and NIST SP 800-172, as applicable.
This means NIST SP 800-171 Revision 2 should already be implemented for organizations that handle CUI/CDI/CTI, and are therefore subject to DFARS 252.204-7012, 7019, 7020, and now 7021 (CMMC). CMMC’s primary purpose is to validate through a third-party assessment that these requirements are being met. If you are not fully compliant or haven’t started implementation, don’t wait until your contracts require CMMC before implementing what’s already in your contracts today (i.e. DFARS 252.204-7012).
Where Do I Start?
Understanding your scope of CUI and FCI is critical to how you prepare and implement the requirements for handling sensitive information. No organization can make a confident decision on what approach is best for them until they understand things such as data flows, user/workflows, and who, what, and where CUI is processed, stored, and transmitted.
The costs of implementing NIST SP 800-171 can increase drastically if decisions are made based on assumptions where industry experience matters. Should your whole organization be in scope? Or just portions of it? Can those data flows be segmented off your network to keep costs down and administrative burden off your employees? These are questions that need to be answered.
The three most common approaches are:
- Hardening your existing infrastructure (DIY)
- Migrating your network to a Government cloud (Rip and Replace)
- Moving all CUI processes to a CUI enclave like Cuick Trac
Each of these approaches comes with different timelines, costs, organizational impact, and administrative responsibility.
Learn how Cuick Trac’s enclave is the most affordable and practical way to fully segment CUI off your network in a quick demo with our security experts.