CMMC Rule Published: Important Updates


It took 3 years, 10 months, and 26 days, but it finally happened. The CMMC rule has officially been published. On December 26th the Department of Defense (DoD) had CMMC published to the Federal Register.

CMMC was published as a proposed rule instead of a final rule. What does this mean for members of the Defense Industrial Base (DIB)?

This means that before CMMC goes into DoD contracts, there will be a public comment period. That public comment period is scheduled to close on February 26, 2024. This deadline is only for anyone for anyone planning to submit feedback to the DoD.

The DoD then needs to respond to those public comments. On average, this takes the DoD about a year or so to complete. This means we will see CMMC officially in contracts sometime in Q1 of 2025.

People will find there are not as many major changes like we saw when we went from CMMC 1.0 to 2.0. There are still 3 levels:

  • Level 1 is for organizations that handle Federal Contract Information (FCI)and require an annual affirmation. This level has 17 requirements from Federal Acquisition Regulation (FAR) Clause 52.204-21.
  • Level 2 is for organizations that handle Controlled Unclassified Information (CUI) data. This level has third party assessments required to ensure compliance with the NIST SP 800-171 standard. These requirements have been in place since 2017 when DFARS clause 7012 went into effect.
  • Level 3 is for organizations that handle specialized CUI data and will require additional controls from NIST 800-172. Organizations will have to pass a third party assessment from a C3PAO as well as the DOD.

Plan of Action and Milestones are still allowed for certain controls, and the cybersecurity requirements are still the same for FCI and CUI. So, what is different?

CMMC Updates to be aware of:

Cost of Compliance is not a Consideration

The DoD emphasizes multiple times that these controls should have already been implemented. Therefore, the DoD did not include any cost estimates in the published rule. The only costs that are estimated are the CMMC Assessment costs from a C3PAO.

These estimated costs are likely lower than we will initially see. Market forces will drive prices up as more companies need this certification. Additionally, the number of organizations that will need compliance is likely much higher. This is because the DoD is only able to see two layers deep into the supply chain.

Estimated Number of Organizations Needing CMMC

Number of total entities over a phased implementation period:

  • Level 1 Self Assessment: 139,201
  • Level 2 Self Assessment: 4,000
  • Level 2 Certification: 76,598
  • Level 3 Certification: 1,487

Estimated Costs Per Level

For CMMC Levels 1 and 2, the cost estimates are only for the assessment, certification and affirmation activities required. These estimates only include the costs an organization must take to allow the DoD to verify implementation of the requirements.

The DoD did not consider the cost implementing the security requirements themselves. This is because the Level 1 requirements have been in effect since June 15, 2016. The Level 2 requirements have been in place since December 31st, 2017.

Therefore, the costs of implementing those requirements should have already been incurred. CMMC only requires verification of these existing requirements. That is why the cost estimates to implement the Level 1 and 2 requirements are not included. Just the costs of verifying implementation are included.

However, because the CMMC Level 3 requirements are new, the costs to implement those are included.

Other than Small Entities Cost Per Assessment:

  • Level 1 Self-Assessment: $4,042
  • Level 2 Self-Assessment: $48,827
  • Level 2 Certification: $117,768
  • Level 3 Certification: $44,444

Small Entities Cost Per Assessment:

  • Level 1 Self-Assessment: $5,977
  • Level 2 Self-Assessment: $37,196
  • Level 2 Certification: $104,670
  • Level 3 Certification: $12,802

Phased Implementation Approach

The rule proposes a three year phased approach in requiring CMMC in contracts. Every year, the DoD will choose a certain number of contracts that will have the CMMC requirement. The number of contracts requiring CMMC certification will increase each year until every contract has the requirement.

CMMC Only for New Contracts

When the CMMC final rule is published, it will not retroactively apply to old contracts. It will start out only required for new contracts, and the DoD will state 6 months before the solicitation is issued if CMMC is a requirement.

Managed Service Provider and External Service Providers Must Meet CMMC Level Requirements

The most important update is regarding external service providers (ESP). ESP’s are external people, technology, or facilities that an organization utilizes for IT and/or cybersecurity services on behalf of the organization. In order to be considered an ESP, CUI or Security Protection Data must be processed on ESP assets. Security Protection Data are things like, log data and configuration data.

If the organization seeking compliance uses an ESP, the ESP must have a CMMC Level 2 Certificate. Not all ESP’s are external. If the ESP is internal, then the security requirements implemented must be documented. The System Security Plan should show how the ESP is connected to the in-scope environment.

Cloud Service Providers must meet FedRAMP Moderate Requirements

Organizations seeking compliance must use a FedRAMP moderate or higher cloud environment to process, store or transmit CUI. There are a couple different ways that cloud service providers can meet this requirement:

  • The CSP’s product or service is listed in the FedRAMP marketplace
  • The CSP’s product or service is not listed in the FedRAMP marketplace, but still meets the requirements
  • In order to show evidence of meeting this controls, the OSC must have security documentation to prove so. This documentation should include a System Security Plan, or other documentation that describes the environment, system responsibilities, and current status of the controls. Also necessary is a Customer Responsibility Matrix (CRM). The CRM shows how the CSP is meeting each control, and which controls are the responsibility of the OSC.

Any of the OSC’s on-premise infrastructure that connects to the CSP is in scope. Because of this, OSC’s should refer and document the CRM in their SSP.

Next Steps for Contractors:

With the CMMC Rule officially being published, now more than ever ensuring compliance is crucial for DoD contractors. Navigating these cybersecurity requirements demands expertise, and the FirstCall Compliance team is ready to be your guide. Having helped hundreds of organizations already, we specialize in making CMMC compliance seamless.

Act now. The repercussions of non-compliance are significant. Don’t let uncertainties hinder your chances of securing DoD contracts. Our team is poised to assess your needs, craft tailored strategies, and walk you through the compliance process.

By choosing the FirstCall Compliance team, you’re not just meeting regulations – you’re safeguarding your business’s future. As the regulatory landscape tightens, investing in cybersecurity is an investment in your success.

Seize this opportunity to fortify your cybersecurity and solidify your position as a trusted DoD contract partner. The FirstCall Compliance team is ready to empower your journey toward CMMC certification.

Reach out now and let’s secure your success together.

Published On: February 1st, 2024 / Categories: CMMC /

Subscribe To Receive The Latest News

Looking to keep a finger on the pulse of SAP advancements? Subscribe to our FirstCall newsletter. It’s not just an update—it’s your insider access to SAP secrets, expert analyses, and the freshest trends. All thoughtfully curated and delivered to your inbox.