From compliance to confidence: Mastering the new CMMC requirements

The Cybersecurity Maturity Model Certification (CMMC) is finally here, marking a significant milestone in the Department of Defense’s (DoD) efforts to enhance cybersecurity across the defense industrial base. The CMMC Final Rule was published on October 15, 2024, and is set to go into effect on December 16, 2024. This new framework aims to ensure that all defense contractors implement necessary cybersecurity safeguards to protect controlled unclassified information (CUI) and federal contract information (FCI).

Phased implementation

Defense contractors will begin to see compliance requirements phased in over the next few years. The implementation timeline is structured in four phases, starting with Phase 1 on December 16, 2024, and culminating in Phase 4 three years later. This phased approach allows contractors to gradually adapt to the new requirements and ensures a smooth transition to full compliance.

The phased implementation of the CMMC is designed to provide a structured and manageable transition for defense contractors. The phases break down as follows:

• Phase 1: The first phase begins on December 16, 2024. During this phase, the DoD can begin to include CMMC requirements in new contracts. Contractors will need to meet Level 1 or Level 2 self-assessment requirements as a condition of contract award.
• Phase 2: The second phase starts one year after the effective date, on December 16, 2025. In this phase, contractors handling CUI will be required to undergo a third-party assessment by a certified assessor organization as a condition of award.
• Phase 3: The third phase begins two years after the effective date, on December 16, 2026. This phase involves the DoD conducting Level 3 CMMC assessments for contracts involving the most sensitive CUI.
• Phase 4: The final phase starts three years after the effective date, on December 16, 2027. This phase marks the full implementation of the CMMC requirements across all applicable solicitations and contracts.

This phased approach is intended to address ramp-up issues, provide time to train the necessary number of assessors and allow companies the time needed to understand and implement CMMC requirements.

Compliance clarifications

The final CMMC rule provides several key clarifications that are crucial for defense contractors to understand:

• The operational plan of action allows contractors to identify temporary vulnerabilities and deficiencies, as opposed to documenting in a plan of action and milestones (POA&M). This allows for management to remediate vulnerabilities or deficiencies identified through the normal operation of detective controls without causing you to go out of compliance.
• Contractors must retain artifacts used in evidence for an assessment for at least six years after the date of their certification assessment. This retention obligation extends to the annual self-certifications that contractors must perform.
• External service providers are not required to have CMMC certification but are “in-scope” if they store, transmit or process CUI.

An endpoint hosting a virtual desktop infrastructure (VDI) client configured to disallow processing, storage or transmission of CUI beyond keyboard/video/mouse sent to the VDI client is considered an out-of-scope asset.

What to do next

With the CMMC Final Rule now in effect, defense contractors must take several steps to become compliant and properly flow down the compliance requirements to their subcontractors. Some key actions to take include:

1. Understand your CMMC level.
   

   Based on the type of information your organization handles, determine the appropriate CMMC level for your organization. This will guide your compliance efforts and help you identify the specific requirements you need to meet.

The three levels are:

• Level 1: Basic protection of FCI, requiring an annual self-assessment.
• Level 2: General protection of CUI, which can be achieved through either a third-party assessment or a self-assessment.
• Level 3: Enhanced protection against advanced persistent threats, requiring an assessment led by the Defense Industrial Base Cybersecurity Assessment Center.

2. Conduct proper scoping of your environment.
   

   Proper scoping of your environment for CMMC is crucial because it clearly defines the boundaries where CUI is stored, processed and transmitted within your organization. This allows you to focus security efforts only on the relevant systems and data, minimizing the scope of your assessment and ultimately reducing the cost and complexity of achieving compliance while ensuring the most critical assets are adequately protected. If not done correctly, your entire network could be considered “in-scope” for assessment, leading to unnecessary overhead and potential noncompliance issues.

3. Perform a gap analysis.
   

   Assess your current cybersecurity posture against the CMMC standards. Conduct a thorough gap analysis to identify deficiencies in your existing cybersecurity controls. This will help you develop a POA&M to address these gaps and achieve compliance.

4. Implement required controls.
   

   Based on the results of your gap analysis, implement the necessary cybersecurity controls to meet the CMMC requirements. This may involve updating your policies, procedures and technical controls, or implementing new technology.

5. Prepare for assessment.
   

   Whether you are undergoing a self-assessment or a third-party assessment, ensure that you have all the required documentation and evidence in place. This includes maintaining control evidence for six years and being prepared for potential audits by the DoD.

6. Flow down requirements to subcontractors.
   

   Ensure that your subcontractors are also compliant with the CMMC requirements. This involves flowing down the relevant requirements to all subcontractors at every tier and verifying their compliance.

By following these steps, defense contractors can help ensure that they are fully compliant with the CMMC requirements and are well-prepared to protect sensitive information from evolving cyberthreats.

How Wipfli can help

We understand the intricacies of CMMC compliance and offer tailored solutions to navigate its complexities, along with all our robust and agile cybersecurity services. To learn more, see our cybersecurity services page.