CMMC Final Rule Published:
What Small Businesses Need to Know
On October 15, 2024, the Department of Defense (DoD) officially published the final rule for the Cybersecurity Maturity Model Certification (CMMC) in the Federal Register, marking a significant step in ensuring cybersecurity compliance across the defense industrial base (DIB). With the release of this final rule, contractors and subcontractors, including small businesses, must prepare for the phased implementation of CMMC requirements that will be rolled into defense contracts over the next few years.
Here’s what small businesses need to know to prepare, including key deadlines, phased rollout details, and updates from the previous draft rule published in December 2023.
Key Changes from the December 2023 Draft
The final rule remains largely aligned with the December 2023 draft rule but incorporates some key updates to clarify and simplify compliance:
Extended Phased Implementation:
The final rule extends the phased implementation schedule, allowing businesses more time to adjust. Phase 1 will begin immediately after the CMMC Clause Rule (48 CFR Part 252) is finalized (targeted for 2025), with subsequent phases spaced over three years.
Changes to Self-Assessment and Third-Party Audits:
For Level 1 and some Level 2 contracts, self-assessments will be required annually. However, third-party assessments will be mandatory for contracts involving sensitive Controlled Unclassified Information (CUI).
Plans of Action and Milestones (POA&Ms):
Conditional certification for non-critical requirements has been introduced for Level 2 and 3 assessments allowing businesses 180 days to meet certain security controls while maintaining contract eligibility.
Timeline for CMMC Implementation
The final rule outlines a phased rollout to allow businesses, especially small businesses, sufficient time to comply:
Phase 1 (Mid-2025):
DoD will start including CMMC Level 1 or 2 self-assessment requirements in new contracts. For higher-risk contracts, Level 2 third-party assessments (C3PAO) may be required.
Phase 2 (2026):
Additional contracts will begin requiring Level 2 third-party assessments and, where applicable, Level 3 assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Phase 3 (2027):
CMMC Level 2 and 3 requirements will extend to contract options and modifications, including contracts awarded before the final rule.
Phase 4 (2028):
CMMC requirements will be mandatory across all DoD contracts.
What Small Businesses Should Do Now About CMMC Compliance
To prepare for CMMC compliance, small businesses should start planning immediately:
- Review Existing Contracts: Evaluate whether your contracts involve Federal Contract Information (FCI) or CUI, as this will determine which CMMC level you need.
- Conduct Readiness Assessments: Perform internal audits or engage certified third-party consultants or assessors to review your current cybersecurity controls.
- Develop and Update Security Plans: Create or refine your System Security Plans (SSP) and POA&Ms to ensure you have a clear roadmap for meeting CMMC requirements.
Looking Ahead: The 48 CFR Part 252 Rule
The implementation of CMMC hinges on the finalization of the CMMC Clause Rule (48 CFR Part 252), expected in early to mid-2025. Once this rule is finalized, CMMC requirements will start appearing in all applicable DoD contracts. Small businesses should be aware that CMMC compliance will not only be mandatory for prime contractors but also for subcontractors.
Simplify and Reduce the Cost of CMMC with CORE Vault
For small businesses looking to streamline their CMMC compliance journey, CORE Vault provides an all-in-one solution. CORE Vault helps organizations securely manage Controlled Unclassified Information (CUI), comply with CMMC requirements, and reduce the overall cost of cybersecurity implementation. With built-in tools to simplify documentation, compliance tracking, and secure data storage, CORE Vault offers a cost-effective way for small businesses to meet their CMMC obligations while focusing on their core business.
Additional Considerations
Cloud Service Providers (CSPs) and Managed Service Providers (MSPs):
The final rule offers clarifications on the role of third-party service providers, specifying when FedRAMP authorization is required and when external service providers need to be certified.
Cost Considerations:
While CMMC compliance might seem burdensome for small businesses, there are resources and tools available to help mitigate the costs. The DoD is working with industry partners to streamline assessments.
By beginning preparations now and leveraging solutions like CORE Vault, small businesses can ensure they are ready to meet the necessary cybersecurity standards as the CMMC is gradually implemented over the next few years.
About CORE Vault for NIST CMMC
Everything you need for NIST/CMMC in one cloud-based solution. The CORE Vault CUI Enclave and Consulting Services.
If you contract with the Department of Defense, you require advanced cybersecurity protections. To comply with DFARS, you need to meet the requirements of NIST SP 800-171. Soon, DoD contractors will also need to meet the requirements of Cybersecurity Maturity Model Certification (CMMC 2.0). However, most contractors don’t have the resources to overhaul their entire network for compliance. With CORE Vault, you don’t have to.
With CORE Vault, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts.
CORE Vault also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies.
We’ve seen contractors achieve their maximum DoD-required SPRS score in 30 days.