Guest Blog

A new CMMC Proposed Rule means GovCons need to evaluate their cybersecurity – now

The Cybersecurity Maturity Model Certification (CMMC) Proposed Rule, released in the Federal Register on December 26, 2023, outlines the implementation of the comprehensive CMMC 2.0 Program

As a government contractor (GovCon), how often do you review your own internal cybersecurity policies and procedures? Aside from being good business practice to help you stay secure, it also helps you maintain regulatory compliance with federal mandates.  

A recently released Proposed Rule from the federal government has the potential to impact government contractors (GovCon) and how they approach cybersecurity, so you’ll want to understand what that means for you and what you’ll need to do.  

The latest Cybersecurity Maturity Model Certification (CMMC) Proposed Rule 

The Cybersecurity Maturity Model Certification (CMMC) Proposed Rule, released in the Federal Register on December 26, 2023, outlines the implementation of the comprehensive CMMC 2.0 Program.  

This new rule establishes a three-tiered model, assessment objectives, and contract-based implementation for defense contractors handling sensitive information like Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The function of the CMMC Program is guided by the Department of Defense (DOD) CIO's oversight, while the CMMC PMO controls the certification levels. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts assessments and the Accreditation Body (AB) handles authorizing and accrediting CMMC Third Party Assessment Organizations (C3PAOs).  

The Proposed Rule highlights procedures for reporting and utilizing assessment results, with DOD's Supplier Performance Risk System (SPRS) functioning as the official source for posting certification levels. The rule acknowledges the impact on small businesses, providing them with a ramp-up period and allowing self-assessments for initial compliance. The rule's primary goal is to improve the security of the Department's supply chain by mandating stricter cybersecurity standards and phased implementation. 

The CMMC 2.0 Program aims to establish a more consistent and standardized approach to assessing contractors' cybersecurity practices. The previous system aligned to self-attestation of Defense Federal Acquisition Regulation Supplement (DFARS) 7012 relied on self-reporting and lacked consistency in evaluating compliance with cybersecurity standards. With the CMMC 2.0 Program, all contractors will undergo assessments by trained and certified third-party assessors who will evaluate their compliance with specific cybersecurity requirements. This approach ensures a more thorough and objective evaluation of an organization's cybersecurity posture, reducing the risk of potential vulnerabilities being overlooked. 

Issues and challenges of the Proposed Rule 

The current CMMC Proposed Rule presents several challenges: 

1. NIST 800-171 is "locked-in" at revision 2.

.The CMMC Proposed Rule specifically locks in the National Institute of Standards and Technology (NIST) standard NIST 800-171 at revision 2. This means that contractors are required to comply with the specific controls and standards outlined in this particular revision. However, the landscape of cybersecurity is fast evolving, and the threats and vulnerabilities that organizations face are continually changing. This “locked in” revision may run the risk of not staying current with the latest cybersecurity developments and best practices as designed by newer NIST frameworks. 

2. Comparison with DFARS 252.204-7012 regulation.

Unlike the CMMC Proposed Rule, the DFARS 252.204-7012 regulation does not lock in a specific revision of NIST 800-171. This gives contractors the flexibility to adapt and evolve their cybersecurity practices as new revisions of NIST 800-171 are released. The lock-in of a specific revision in the CMMC Proposed Rule could potentially put contractors at a disadvantage, as they may be adhering to outdated standards compared to those following the more flexible DFARS regulation. 

3. Cost and resource implications.

Compliance with the CMMC Proposed Rule requires significant investment in cybersecurity systems, personnel training, and third-party assessments. For small and medium-sized contractors, these costs may be prohibitive, and capable cyber and compliance staffing may be short or inaccessible. 

4. Potential for confusion and overlap

Many contractors already adhere to industry-specific cybersecurity standards and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS). The introduction of the CMMC Proposed Rule could potentially create confusion and overlap with these existing requirements, leading to duplication of efforts and resources. 

5. Competitive disadvantages for small businesses.

The complexity and cost of compliance with the CMMC Proposed Rule could put small businesses at a competitive disadvantage. They may not have the resources or expertise to meet the requirements, leading them to lose out on lucrative government contracts. 

6. Need for clear and consistent guidance.

As seen with the implementation of DFARS 252.204-7012, there can often be confusion and inconsistencies in the interpretation and enforcement of cybersecurity requirements for government contractors. It will be essential for the CMMC Accreditation Body to provide clear and consistent guidance on compliance with the proposed rule to avoid similar issues. 

7. Impact on supply chain.

The CMMC Proposed Rule not only applies to prime contractors but also their subcontractors and lower-tier supply chain, creating a ripple effect throughout the entire Defense Industry supply chain. This could potentially lead to delays and increasing costs for completing projects, as well as the need for smaller businesses to also invest in compliance measures that they may be unprepared for, both from a financial and resource perspective. 

8. International reach.

The CMMC Proposed Rule could have implications for international companies seeking to do business with the US government. The added cybersecurity requirements may be seen as a barrier to entry, leading to reduced competition and potential trade barriers. This could have wider economic impacts, particularly for countries heavily involved in government contracting. 

9. Operations Technology de-scoping.

.The CMMC Proposed Rule indicates a de-scoping of Operations Technology (OT) from its purview. This decision alleviates some of the compliance burden for organizations that heavily rely on OT. However, it also raises questions about the assurance of cybersecurity for OT systems, which are often integral to the operations of many businesses, particularly those in industries such as manufacturing, utilities, and transportation. A challenge moving forward will be striking a balance between ensuring robust cybersecurity measures and not overburdening businesses with compliance demands. 

The timeline for the Proposed Rule 

When the CMMC Proposed Rule was submitted on December 26, 2023, it initiated a period of public review and comment aimed at gathering industry feedback. This period typically lasts for 60 days, thus extending until February 26, 2024. After the closure of the comment period, the responsible agency will review the comments and possibly revise the rule based on the collected feedback. This process can take several months, depending on the volume and complexity of the comments received. Therefore, the final rule could be expected to be published in the Federal Register around mid-to-late 2024. However, this is an approximate timeline and could be subject to changes based on various factors.   

Right now, the DOD CIO is stating that they are “processing all comments in real-time” and expects to have final rule out “by or before the election.”  This marks an aggressive timeline for all contractors who may potentially see CMMC level 2 Certification requirements as early as early 2025. 

Phased roll-out of CMMC into contracts 

The CMMC Proposed Rule introduced a structured rollout plan for cybersecurity standards across the Defense Industrial Base (DIB) sector. Specifically, the rule outlined a phased approach, with a four-phase rollout: 

The four-phase rollout of the CMMC Proposed Rule is designed to gradually integrate the updated cybersecurity standards within the DIB: 

Phase 1 – 0 to 6 Months During the six months following the rule's publication, the emphasis will be on requiring both Level 1 and Level 2 Self-Assessments as a condition of award in new contracts or new Options Years exercised. Note that it is optional for the DoD to start issuing some CMMC Level 2 certifications during this time period.  Keep an eye on your current contracts’ Period of Performance (PoP) for any renewing/rebidding/or new options years in this first 6 months. 

Phase 2 – 6 to 18 Months:  In the 6 to 18 months’ time period post-final award, the DOD will focus on rolling out CMMC Level 2 certification as a condition of award applied to new contracts and new option years.  Note that it is optional for the DOD to also start rolling out CMMC Level 3 requirements to some select solicitations or new contracts. 

Phase 3 – 18 to 30 Months. This phase will roll out CMMC Level 3 certification requirements into new solicitations or contracts/contract option years.  Note: DOD may opt to delay or waiver requirements as they deem appropriate. 

Phase 4 - 30+ Months: The final phase marks the full implementation of CMMC across all new contracts in the DIB for Levels 1-3. This phase ensures that all contractors comply with the defined cybersecurity standards, CMMC Certification Levels or self-attestation of Level 1, and that the supply chain is fully secured via flow-down mandate. 

The four-phase rollout will have significant ramifications for defense contractors. Initially, the inclusion of Level 1 and Level 2 Self-Assessment requirements in the contract awarding process introduces an immediate compliance challenge. Contractors must quickly ensure that their cybersecurity infrastructure meets these initial standards to remain competitive and eligible for contract renewals and new business. As the DOD progresses to phase 2, expanding Level 2 certification and potentially introducing Level 3 requirements, contractors must invest in their cybersecurity systems or risk falling out of step with the new mandates, jeopardizing their ability to win new contracts and exercise option years.  

Reaching phases 3 and 4 increases the stringency and scope of compliance, requiring contractors to fully integrate advanced cybersecurity measures into their operations. The phased approach gives defense contractors a structured timeline for compliance but emphasizes a continuous evolution of cybersecurity practices to align with the DOD's aspirations of a fortified DIB. 

As the CMMC Proposed Rule proceeds through review and adjudication, it is poised to bring transformative changes to the DIB. This pivotal development is expected to further standardize and strengthen cybersecurity measures across the board, compelling all entities within the DIB to elevate their systems and protocols to meet the rigorous requirements of CMMC 2.0. It ensures not just a bolstered shield against potential cyber threats but also demands a culture of continuous cyber vigilance that could serve as a framework for other sectors seeking to safeguard their data.  

While much still needs to be clarified and resolved in the current CMMC Proposed Rule, DOD is likely intent on staying the projected course with an aggressively firm rollout requiring full cooperation of the DIB and its supply chain.  The impact of the rule will resonate with an increased assurance of security for defense-related activities and a defined path forward for contractors and subcontractors.  

The next step for GovCons: evaluating their cybersecurity posture 

The impact of the CMMC Proposed Rule will likely be broad and affect current and future awards for most government contractors. Now is the time to start evaluating your security protocols and consider steps you can proactively take to prepare.  

As a CMMC Registered Practitioner Organization (RPO), BDO has built an IT security compliance team that possesses a deep bench of advanced degrees in Cybersecurity and Information Assurance combined with over 30 years of experience supporting cybersecurity and IT programs in information technology, information assurance, and cybersecurity. BDO’s professionals consist of cybersecurity and information assurance specialists with multiple industry cybersecurity certifications and extensive years of experience in designing cyber solutions for the most demanding threat environments.  Our team includes CMMC-certified Registered Practitioners and CMMC Certified Assessors with cybersecurity industry certifications, such as EC-Council, ISACA, CompTIA, (ISC)2 and GIAC certified professionals.   

BDO works with clients at any stage of their compliance program.  Our personnel will walk you through our 6-Stage process and determine a starting point based on your internal compliance program status.  BDO will fully engage all members of your team to provide responses to worksheets and questionnaires to provide a comprehensive view of your policies and technological solutioning.  The BDO team will address any deficiencies, either in policy/procedures, or in technical solution design, to guide you through the proper implementation of all security controls for your organization’s business and mission needs.  Email us at CMMC@bdo.com today to speak to a Cyber Specialist.