Update: The Final Rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 went into effect on Monday, December 16, 2024, and requires all defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the info they are handling.
C3PAOs will be able to officially begin providing Level 2 assessments on January 2, 2025, per the guidance in the rule, so ensuring your organization is prepared for the CMMC certification process is critical.
To learn more about the CMMC levels and assessment requirements, access our CMMC Guide & Checklist.
On October 11, 2024, the Cybersecurity Maturity Model Certification (CMMC) 2.0 Final Rule was released from the Office of Information and Regulatory Affairs (OIRA) and the Final Rule is now published in the Federal Register.
Since CMMC has been finalized, there will likely be a flood of requests to CMMC Third-party Assessment Organizations (C3PAOs) by Organizations Seeking Certification (OSCs). If your organization has contracts with the Department of Defense (DOD), you might be required to prove and certify your CMMC compliance, now is the time to start preparing if you have not already.
CMMC Assessment preparation starts with documentation. Ensuring your teams can successfully meet the controls and assessment objectives from CMMC Level 1 can be helpful first, prior to seeking a Level 2 certification, as the CMMC Levels are cumulative. For Level 2, having a detailed and comprehensive System Security Plan (SSP) that outlines how your organization is meeting the 110 controls of the NIST SP 800-171 is a pre-requisite for certification. Additional documentation supporting the SSP and a Plan of Action and Milestones (POA&M) to support any controls that are currently unmet is also necessary.
The new CMMC 2.0 has many requirements, including subcontractor compliance oversight and additional incident notifications, but as a Registered Practitioner Organization (RPO), CampusGuard can help. Planning and setting the foundation for a successful CMMC certification is complex and takes time, so don’t wait, as new DOD contracts may require CMMC assessments as early as Q1 2025.
Many universities have begun preparation already and the documentation can be extensive. Your teams will need to produce auditable artifacts or evidence of how the intent of each control is being met. Applying the controls needed is also easier when your Controlled Unclassified Information (CUI) data is isolated to a specific enclave or set of applications, so defining and limiting the scope of your CMMC environment is critical. It is also important to understand any dependencies your environments may have on shared infrastructure or services.
Check out our article, Prepare for CMMC in 5 Steps: A Higher Ed Focus, for steps your organization can be taking now to prepare.
CMMC benefits include:
- Protecting sensitive information to empower and safeguard the warfighter.
- Upholding DIB cybersecurity standards to address emerging threats.
- Promoting accountability while reducing obstacles to compliance with DoD requirements.
- Fostering a collaborative environment focused on cybersecurity and resilience.
- Building public trust through exemplary professional and ethical standards.
Contact your dedicated CampusGuard team to engage with a Registered Practitioner Advanced (RPA) to perform a Readiness Assessment, review your in-scope environment(s), and identify any potential gaps in compliance prior to the required assessment by a C3PAO.
Resources:
DoD Press Release: Cybersecurity Maturity Model Certification Program Final Rule Published
CMMC Documentation, Scoping Guidance, and Assessment Guides: CMMC Documentation (defense.gov)
Cyber AB CMMC Town Hall Meetings September 2024 Town Hall – CyberAB