The clock is ticking—December 16th, 2024 is approaching fast, and that’s the effective date for the 32 CFR Final Rule. If you’re a contractor or subcontractor working with the Department of Defense (DoD), understanding this rule is critical for your compliance journey. In this blog, we’ll break down some of the key updates in the final rule and what they mean for your path to CMMC 2.0 certification.
New Support Documents and Program Website
The DoD has rolled out new CMMC support documents on their official CMMC Program Website to provide you with the tools and resources needed to prepare for certification. These documents offer valuable insights for prime contractors and subcontractors alike, so make sure to check them out as you begin your CMMC preparations. Access them here
Supply Chain Compliance: Flow-Down Rule
Prime Contractors: Your Responsibilities
If you’re a prime contractor, the compliance journey doesn’t stop with your organization. You’re responsible for ensuring that your entire supply chain, including your subcontractors, meets the new CMMC requirements. Start these conversations now to avoid supply chain disruptions down the road. Remember: the Supplier Performance Risk System (SPRS) won’t be publicly available to verify CMMC status, so direct communication is essential.
Subcontractors: CMMC Applies to You
As a subcontractor, if you handle FCI or CUI, CMMC now applies to you. Begin your certification preparations early to avoid last-minute surprises and to ensure smooth contract negotiations.
Managed Service Providers (MSPs) and Cloud Service Providers (CSPs)
The final rule also offers updates for MSPs and CSPs, clarifying how these service providers fit into the CMMC framework.
MSPs: No Certification Required, But Assessments Apply
MSPs that are not cloud service providers and are not required to obtain their own CMMC certification. However, they are still within the scope of the contractor’s CMMC assessments. While partnering with an MSP with Level 2 certification is not mandatory for passing CMMC, it can offer significant benefits by streamlining the certification process and ensuring compliance best practices are met more efficiently.
CSPs: Narrowed Scope and Clarification
The rule narrows the definition of a Cloud Service Provider (CSP) using guidelines from NIST SP 800-145. It also clarifies the CUI scope for both CSPs and External Service Providers (ESPs), making it easier to understand how to stay compliant.
Virtual Desktop Infrastructure (VDI) – Out of Scope
If your Virtual Desktop Infrastructure (VDI) setup only allows for Keyboard/Video/Mouse (KVM) interactions and prevents any local processing, storage, or transmission of FCI/CUI on the device, it’s considered out of scope for CMMC assessments.
Implementation Timeline Extended
The rollout for Phase 1 of CMMC 2.0 has been extended from six months to one year, starting from the effective date of the 48 CFR Final Rule (expected in Q2/Q3 2025). During this phase, you can expect the following:
- Solicitations will require Level 1 or Level 2 Self-Assessments
- The DoD reserves the right to require Level 2 C3PAO assessments for specific contract awards
- You’ll need to retain artifacts for at least six years
Plan of Action & Milestones (POA&Ms) vs. Operational Plans
There’s been some confusion about POA&Ms versus operational plans, but the new rule offers clarification.
- A POA&M identifies the deficiencies that need to be resolved before you can achieve all 110 controls. You’ll have 180 days after the audit to complete these fixes.
- Only 1 point value requirements are allowed to be on a POA&M and only some of the 1 point value controls are allowed to be on the POA&M. No 3 point or 5 point controls are allowed.
- An operational plan of action addresses issues that arise after all 110 controls are met. Unlike POA&Ms, there’s no specific timeline to follow here, but it’s important to resolve issues in a timely manner to maintain compliance.
Affirming Official: A New Role
The term “Senior Official” has been replaced with “Affirming Official”, and this person is responsible for providing affirmation in SPRS. The Affirming Official must be a senior-level representative with the authority to ensure CMMC compliance within the organization. Choose this person wisely, as their affirmation will be key to your compliance success.
Exceptions and Deficiencies: What’s Allowed?
Enduring Exceptions
In some special circumstances, full CMMC compliance might not be feasible—especially when working with older systems (for example a legacy CNC machine). The rule introduces the concept of enduring exceptions for these types of situations. These exceptions allow certain systems to remain operational without meeting every control in the CMMC framework.
Temporary Deficiencies
Temporary deficiencies refer to issues that arise after initial implementation, often due to vendor-dependent patches or updates. These deficiencies are addressed through your operational plan, ensuring that your organization stays on track without risking non-compliance.
CMMC Status and Affirmation Requirements
Once your organization meets or exceeds the minimum assessment score, you’ll receive one of two statuses: Conditional or Final. If you have any outstanding POA&Ms, you’ll be assigned ‘Conditional Status’ until those are resolved.
In addition, after every assessment, you’re required to affirm your status annually in SPRS. Failing to do so will result in a lapse in your assessment, so make sure you stay on top of this requirement.
Final Thoughts
Understanding these updates is essential to navigating the evolving landscape of CMMC compliance. With the 32 CFR Final Rule in place, now is the time to act. Take the necessary steps to ensure your organization—and your subcontractors—are prepared. By staying informed and proactive, you can secure your contracts, safeguard your business, and maintain your competitive edge in the DoD cybersecurity space. Taking these updates seriously is critical to protecting your future and ensuring your business is ready for what’s next.
Get started now, and make sure your organization is fully prepared for CMMC 2.0.
Still have questions about what this new rule means for you and your business? Help Desk Cavalry is here to help you.
Schedule your free CMMC 2.0 consult today: https://calendly.com/jeremy-hdcav