Update on the CMMC Rules Approval Process

Paul L. Kendall, PhD 28 November 2023

On 20 November 2023, the Office of Information and Regulatory Affairs (OIRA – under the OMB) completed its review of the CMMC Rules and has returned them to the DoD for final review and publication in the Federal Register prior to implementation. This is expected within the next few days, perhaps as soon as the afternoon of 1 December 2023. This indicates that final Rules have been approved internally and are ready to be put into practice.

We are expecting to see a total of ten (10) documents approved by OIRA, which constitutes the full current documentation set under CMMC 2.0. These include the following:

1. CMMC Level 1 Assessment Guide

2. CMMC Level 2 Assessment Guide

3. CMMC Level 3 Assessment Guide

4. CMMC Level 1 Scoping Guide

5. CMMC Level 2 Scoping Guide

6. CMMC Level 3 Scoping Guide

7. CMMC Hashing Guide

8. CMMC Model Overview

9. Cybersecurity Maturity Model Certification (CMMC) Program

10. Title 48 Rule (subparts specific to CMMC, e.g., contractors, policies & procedures, etc.)

This implies that, sixty (60) days after publication in the Federal Register, the DoD will likely begin enforcement of the CMMC requirements, most likely according to their stated timeline. For Phase 1, when the CMMC requirement first starts appearing in solicitations, all offers will be required to conduct a self-assessment as opposed to a third-party certification and provide a positive affirmation of compliance. Then, in Phase 2 (TBD), solicitations will require either self-assessments or third-party certifications, depending on the type of CUI and required certification level.

DoD also has confirmed that the third-party CMMC certification for some Level 2 and all Level 3 programs will be good for three years, but contractors will be required to provide an annual affirmation confirming compliance. DoD plans to store the CMMC certificates and the associated third-party assessment data in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. The CMMC eMASS automatically will post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS), but the detailed results of a CMMC assessment will not be made public.

Apart from the third-party certifications required for certain Level 2 and all Level 3 programs, self-assessments required for Level 1 and some Level 2 programs must be performed on an annual basis (accompanied by an associated affirmation by a senior company official). DoD has stated that after completing the self-assessment, at least for Level 1, the company will be required to submit the results and annual affirmation via SPRS. This means many companies that have not yet had to use SPRS will need to create an account and ensure access to the platform.

CMMC is imminent and sooner than many had anticipated. Contractors should prepare their information systems for a CMMC assessment (if they have not already), and seriously consider performing a comprehensive self-assessment sooner rather than later. Companies that already are required to have a NIST 800-171 assessment score posted in SPRS (based on the requirements in DFARS 252.204-7019 and -7020) should be actively working to remediate any gaps and consider updating their score to ensure it reflects the current posture of the system. In this regard, DoD has announced it will be checking the accuracy of reported scores in SPRS by performing “medium assessments” as described in the DFARS.

Core Insights can assist our clients with conducting assessments against CMMC requirements as well as the NIST SP800-171/172 security standards and can prepare Level 1 and 2 self-certification documentation for submission to the DoD via eMASS/SPRS. Our CMMC certified professionals can also assist with ongoing remediation efforts to help you attain and maintain compliance.