Officially on October 15, 2024 the wait for CMMC 2.0 is over! With the release of the Final CMMC 2.0 Rule, the Department of Defense (DoD) introduced several significant updates to the Cybersecurity Maturity Model Certification (CMMC) framework compared to the earlier proposed rule from August 2024 (and earlier). For defense contractors, especially subcontractors in the manufacturing and goods-producing sectors, understanding these changes is critical to maintaining compliance and continuing to win contracts. In this article, we’ll explore the most significant changes between the proposed rule and the Final Rule, focusing on compliance timelines, artifact handling, assessment requirements, and the most salient non-technical details.
1. Effective Date and Rollout Period
One of the most pressing concerns for contractors is the timing of CMMC implementation. The Final CMMC 2.0 Rule introduced a clearer timeline:
- Effective Date: The Final rule becomes effective 60 days after its publication in the Federal Register, which places the enforcement date around mid-December 2024. The 16th to be exact. After this date, contractors bidding on new contracts will need to comply with the specified CMMC level at the time of contract award.
- Phased Rollout: The three-year phased rollout remains, as proposed, but the Final rule clarifies its structure.
- Year 1 will impact about 1,104 small entities, progressively scaling up over the next two years.
- By Year 4, nearly all defense contracts that handle Federal Contract Information (FCI) will require compliance at a minimum CMMC Level 1.
- Organizations handling Controlled Unclassified Information (CUI) will require compliance at a minimum CMMC Level 2.
- Just because DoD has defined this graceful roll-out period does not mean that Prime Contractors must abide by it. Prime Contractors can require compliance well in advance of the prescribed timeline, and many are taking this approach.
2. Assessment Requirements: Self-Assessment and Third-Party
In response to industry feedback, the Final rule retains the self-assessment option for Level 1 and some Level 2 contracts. However, there are clearer distinctions and conditions for these assessments:
- Level 1 Self-Assessments: Contractors that only process FCI are allowed to self-assess at Level 1, as specified in both the proposed and Final rules. The self-assessment must be conducted annually, and results need to be submitted to the Supplier Performance Risk System (SPRS).
- Level 2 (Self ): Lower-risk contracts involving CUI may allow for Level 2 self-assessments. This includes submitting the assessment results to SPRS.
- Level 2 (C3PAO):
- Higher-risk contracts handling CUI require an independent third-party assessment (C3PAO).
A key change in the Final Rule is the emphasis on submitting self-assessments before contract awards, as well as an annual reaffirmation of compliance.
Very importantly, the preservation of assessment artifacts is required under all levels of the Final Rule. All Contractors must comply with the preservation and hashing requirements spelled out in the Final Rule and the accompanying CMMC Hashing Guide. Both documents are available from DoD CIO
3. Conditional Certification and Plan of Action & Milestones (POA&M)
The Final Rule introduces a refined approach to conditional certifications and POA&Ms, providing contractors with more flexibility but also establishing stricter limits:
- Conditional Level 2 Certification: If contractors fail to meet all 110 NIST SP 800-171 requirements but achieve at least 80% compliance, they may receive a Conditional Level 2 Certification. This allows them to continue bidding on contracts, provided they remedy unmet requirements within 180 days. There is no allowance for exceptions or extensions.
- POA&Ms: While contractors are allowed to submit a Plan of Action and Milestones (POA&M) for certain unmet requirements, critical controls like multi-factor authentication and encryption cannot be deferred. The Final rule imposes stricter limitations on what can be included in a POA&M, reflecting the DoD's heightened focus on immediate security controls.
- POA&M Items: The timeline to fully resolve and complete reassessment (in the instance of Level 2 (C3PAO) POA&M items remained the same at 180 days.
4. Artifact Hashing and Retention
A major clarification in the Final Rule relates to the handling of assessment artifacts and how they must be managed:
- Artifact Hashing: Contractors undergoing assessments must generate SHA-256 hashes for each document or artifact used as evidence of compliance. This ensures the integrity of the artifacts without requiring assessors to retain sensitive proprietary information. DoD created and has made a tool to complete this process available free of charge on the DoD CIO’s website
- Retention Period: A key update from the proposed rule is that artifacts must be retained for six years from the date of the assessment. This retention period ensures that evidence is available for future audits or reassessments, while keeping the responsibility for artifact storage with the contractor.
5. Affirmation of Continuous Compliance
Another significant addition in the Final Rule is the requirement for contractors to affirm continuous compliance with CMMC standards:
- Annual Affirmation: Contractors must affirm their compliance on an annual basis or when there are any changes to their security posture. This affirmation, signed by a senior company official, must be submitted to SPRS to ensure the DoD has up-to-date information about the contractor’s security status.
- Continuous Monitoring: While the proposed rule highlighted periodic assessments, the Final rule stresses the importance of continuous monitoring and immediate reporting of any lapses in compliance.
6. Subcontractor Requirements
The requirements for flowing down CMMC compliance to subcontractors were clarified in the Final rule, ensuring that subcontractors are held to the same standards:
- Prime Contractors' Responsibilities: Prime contractors must ensure that their subcontractors have the required CMMC certification before awarding any subcontracts.
- Similarly, Subcontractors that pass CUI down to their subcontractors must also ensure that those organizations have appropriate certification and controls.
- The Final Rule provides explicit guidance on how to determine the CMMC level for subcontractors based on the information being shared.
7. Clarifications on Scope and System Coverage
The Final Rule offers better guidance on the scope of the CMMC requirements, particularly around which systems need to be assessed:
- Contractor Information Systems: The rule specifies that all systems that process, store, or transmit FCI or CUI as part of the contract performance must meet the CMMC level required by the contract.
- Scoping Guide Updates: The accompanying scoping guides now offer clearer explanations on how to categorize systems, helping contractors more effectively manage their assessment boundaries.
- The full Scoping and Assessment Guide is available on the DoD CIO’s website
8. Clarification on Asset and Information Types
The difference between CUI Assets, Security Protection Assets (SPAs), and Security Protection Data (SPD) was (is) one of the most anticipated and well-received updates in the CMMC 2.0 Final Rule. The clarification and distinction between these asset and information types was much needed in the proposed rule and now clearly denotes what elements of their information systems fall under the CMMC assessment, which has long been a point of confusion. The final rule provides clearer definitions and safeguarding requirements for each category, alleviating much of the ambiguity from the proposed rule and streamlining the assessment process.
Here’s a breakdown of the three key asset categories, their safeguarding requirements, and how they are assessed during CMMC certification.
CUI Assets
CUI Assets are at the heart of the CMMC framework, as they directly handle Controlled Unclassified Information (CUI). These assets are central to the certification process and demand the highest level of scrutiny.
- Definition: CUI Assets are systems or components that process, store, or transmit CUI. This could include databases, servers, or any applications used to manage or transfer CUI.
- Safeguarding Requirements: All CUI Assets must comply with the 110 security requirements outlined in NIST SP 800-171. This includes implementing robust access controls, encryption, monitoring, and incident response mechanisms. Given that CUI Assets interact directly with sensitive government information, these systems require the strictest protection.
- Assessment Focus: During a CMMC assessment, CUI Assets are evaluated to ensure that the security controls meet the NIST SP 800-171 requirements. Assessors will look at how CUI is accessed, stored, and transmitted, focusing on whether the necessary safeguards (like encryption and multi-factor authentication) are in place. Any gaps in protecting CUI Assets will significantly impact the assessment outcome.
Security Protection Assets (SPAs)
Security Protection Assets (SPAs) are systems or components that do not handle CUI directly but are essential in protecting CUI Assets by providing critical security services.
- Definition: SPAs include things like firewalls, intrusion detection systems (IDS), encryption tools, and network segmentation devices. These systems act as security enablers, creating protective barriers around the CUI Assets.
- Safeguarding Requirements: While SPAs do not process or store CUI themselves, they play a critical role in ensuring the security of CUI Assets. These assets must be properly configured, regularly monitored, and protected from tampering. They must also meet the relevant controls from NIST SP 800-171, particularly those related to system monitoring, access control, and incident response.
- Assessment Focus: During a CMMC assessment, SPAs are evaluated for how well they safeguard the CUI Assets they protect. This involves reviewing configurations, monitoring capabilities, and whether these assets provide effective defense against unauthorized access or cyber threats. The assessment will verify that SPAs are functioning correctly and that they are integrated into the broader security framework.
Security Protection Data (SPD)
Security Protection Data (SPD) refers to the logs, configuration information, and similar data that is generated by or necessary to operate Security Protection Assets (SPAs). While SPD does not include CUI, its integrity is crucial for the proper functioning of the security environment.
- Definition: SPD is the data used to configure and manage SPAs. This data ensures that the SPAs are set up correctly to protect CUI Assets and maintain system security. Examples include firewall rules, encryption settings, and IDS configurations.
- Safeguarding Requirements: While SPD itself does not handle CUI, it must be safeguarded to prevent unauthorized alterations that could weaken the protection of CUI Assets. NIST SP 800-171 controls apply to the extent that they ensure the proper configuration and protection of SPAs. Any compromise of SPD could lead to vulnerabilities in the systems that protect CUI, making its safeguarding crucial.
- Assessment Focus: SPD is evaluated to ensure that the configurations of SPAs are secure and effective. While it is not subject to the same level of scrutiny as CUI Assets, the proper handling and protection of SPD are essential to the overall security posture. Assessors will verify that SPD is correctly managed and that no unauthorized changes can be made that would affect the security of CUI.
Key Differences Between CUI Assets, SPAs, and SPD
The final rule provides a much-needed distinction between these asset categories, offering clear guidance on how each should be handled during an assessment:
- CUI Assets are the most critical to secure, as they directly process, store, or transmit CUI. They must meet the full set of NIST SP 800-171 controls and are the primary focus of any CMMC assessment.
- SPAs serve as protective barriers around CUI Assets. While they do not process CUI, they must be properly configured and maintained to ensure they provide effective security.
- SPD ensures that SPAs are configured and managed properly. Though SPD does not directly interact with CUI, any compromise could weaken the protection provided to CUI Assets. It is crucial that SPD is safeguarded to maintain the overall security posture.
The clarification of CUI Assets, SPAs, and SPD in the CMMC 2.0 Final Rule was a highly anticipated development, bringing much-needed guidance to contractors and assessors alike. By clearly defining each category and its respective safeguarding requirements, the DoD has streamlined the assessment process and removed much of the ambiguity that existed in the proposed rule. This clarity allows contractors to better scope their assessments, focus on critical assets, and ensure their compliance with CMMC requirements, ultimately making it easier to protect sensitive information and maintain a secure supply chain.
9. The Role of Managed Service Providers (MSPs) and External Service Providers (ESPs) in CMMC 2.0 Assessments
In the CMMC 2.0 Final Rule, one of the more nuanced areas involves the role of Managed Service Providers (MSPs) and other External Service Providers (ESPs) in a contractor's cybersecurity ecosystem.
While MSPs and ESPs that do not directly handle Controlled Unclassified Information (CUI) are not required to undergo a C3PAO assessment, contractors must carefully manage these relationships. The ultimate responsibility for safeguarding CUI and ensuring the secure operation of systems lies with the contractor, not the MSP, MSSP, or ESP.
ESPs fit into the CMMC compliance framework in a unique way. The assessment criteria for those that don’t store/process/transmit CUI is different and largely unfamiliar to many assessors. ESPs that do not pursue Level 2 (C3PAO) certification introduce some significant complexities, added costs, and a greater deal of uncertainty for their contractor-customers.
MSPs, ESPs, and their relationship to OSCs and OSAs
MSPs, MSSPs, and TSPs - External Service Providers (ESPs), in CMMC parlance provide essential IT services that may include managing security infrastructure, offering cloud storage solutions, and overseeing various operational tasks related to an organization's information systems. However, under the CMMC framework, whether an ESP requires a CMMC Level 2 (C3PAO) certification depends on whether they handle CUI. This was one of the most groundbreaking and material changes in the Final Rule.
- All ESPs are in-scope: The Final Rule made clear that even ESPs which only provide Security Protection functions are in-scope for the Contractor (OSA). The systems (SPAs) they provide will be assessed for the full set of 800-171 controls for the capabilities (functions) they provide.
- Non-CUI Handling MSPs/ESPs: If an ESP does not process, store, or transmit CUI, they are not required to undergo a CMMC Level 2 third-party assessment – Level 2 (C3PAO).
- CUI-Handling MSPs/ESPs: However, if an ESP stores, processes, transmits, or can interact with CUI, either directly or as part of the systems used to provide their services, they must comply with the security requirements outlined in NIST SP 800-171 and will need to obtain the appropriate CMMC Level 2 (C3PAO) certification. This ensures that any provider managing sensitive data is properly vetted and certified.
- ESPs that are do not posses a Level 2 (C3PAO) certification and only provide SPA-related functions must comply with
Responsibilities of Contractors Using ESPs
Although MSPs/ESPs may manage critical security functions, the contractor retains ultimate responsibility for the security and protection of CUI, even if it is handled by an external provider. This responsibility includes ensuring that all systems, assets, and personnel interacting with CUI meet the necessary cybersecurity requirements.
The CMMC 2.0 Final Rule makes it clear that contractors must:
- Vet all service providers: Contractors need to ensure that any ESP handling CUI is appropriately certified or that measures are in place to limit their access to CUI.
- Maintain oversight: Contractors should maintain strict oversight of ESPs, even those that do not directly handle CUI. Systems used to manage Security Protection Assets (SPAs), such as firewalls or encryption tools, must still meet security requirements to prevent indirect compromise of CUI assets.
- Ensure compliance flow-down: Contractors are also required to flow down CMMC requirements to any subcontractors, including MSPs/ESPs, that may be involved in their supply chain. This ensures that security controls extend across all tiers of contractors and service providers
Complexities of Using Uncertified ESPs
While it may seem cost-effective to employ uncertified MSPs/ESPs that do not directly handle CUI, doing so introduces potential risks and complexities. These providers, although not interacting with CUI, still play a critical role in maintaining and securing the contractor’s broader IT environment, including Security Protection Assets (SPAs).
Key Risks of Using Uncertified Providers:
- Potential for CUI Exposure: Even though uncertified MSPs/ESPs are not handling CUI directly, they may manage or have access to systems that support CUI assets. Without proper security controls, there is a risk that these systems could be compromised, leading to potential exposure or unauthorized access to CUI.
- Reduced Accountability: When an MSP or ESP is uncertified, the onus is on the contractor to ensure all relevant security measures are in place. This can add an extra layer of complexity, as contractors must be diligent in verifying that uncertified providers are following best practices to protect their systems and any connected CUI environments.
- Limited Recourse in the Event of a Breach: If a breach occurs and an uncertified MSP or ESP is involved, the contractor is solely responsible for reporting and addressing the incident under DFARS 252.204-7012 requirements.
- Potential for Legal Exposure: Relying on uncertified providers may limit the contractor’s ability to prove that appropriate safeguards were in place in the event of a cyber incident. This also may invalidate cyber or liability risk coverage under applicable insurance policies.
- Potential for unforeseen expenses: The Final Rule makes it clear that contractor’s are solely responsible for the compliance of their systems with NIST 800-171 and the broader CMMC Rule. It also clarifies that ESPs are in-scope. Using an uncertified ESP that isn’t familiar with these controls, practices, and procedures could lead to a lot of “out of scope” professional service fees from the ESP as they must retrofit their systems and practices to comply with the requirements of the CMMC program.
Best Practices for Managing ESP Relationships
To minimize risk and ensure compliance, contractors should adopt the following best practices when managing MSP or ESP relationships under CMMC 2.0:
- Clearly Define the Scope of Services: When contracting with an MSP/MSSP or ESP, clearly delineate what systems and data they will handle. For those managing or potentially interacting with CUI or SPAs, ensure they are certified to at least CMMC Level 2 (C3PAO). This is different from a Level 2 (Self) attestation.
- Implement Monitoring and Auditing: Even for uncertified providers, contractors should implement rigorous monitoring and auditing processes. This ensures that any potential vulnerabilities are identified and addressed before they can impact CUI assets.
- Maintain Full Control Over CUI Assets: Contractors should ensure that full control and accountability over CUI assets remain with their organization. If MSPs/ESPs are required to support systems that touch CUI indirectly, strict access controls and security protocols should be implemented to prevent unauthorized access.
- Contractual Safeguards: Include contractual provisions that hold MSPs/ESPs accountable for maintaining a secure environment. Even if the provider is uncertified, contractors should ensure that they meet the relevant security standards and understand their role in protecting the contractor’s systems.
ESPs are Critical to the Ecosystem
While MSPs, MSSPs, and ESPs are valuable partners in managing IT and security infrastructure, contractors must recognize that ultimate responsibility for protecting CUI and ensuring compliance with CMMC requirements lies with the contractor. The decision to use an uncertified provider, while not prohibited, introduces additional risks that must be carefully managed. Contractors are strongly advised to:
- Assess each service provider’s role and determine whether they need CMMC certification based on their involvement with CUI or SPAs.
- Exercise strong oversight over all service providers, certified or uncertified, to ensure they are adhering to the necessary security controls.
- Carefully review the service provider’s Customer Responsibility Matrix (CRM) and determine what exactly – to the control and practice level – they are responsible for and what responsibility you as the OSA retain. Often this is an area of surprise for many Contractors, learning that the ESP takes little accountability or responsibility for security controls that were inferred to be in their swimlane.
10. Final Thoughts on the Final Rule
The changes in the Final CMMC2.0 Rule reflect the DoD’s intention to balance flexibility with accountability. For contractors, particularly those in the defense manufacturing and goods-producing industries, the updates offer clearer timelines, enhanced clarity, expanded options for self-assessments, greater clarity in their responsibilities when using an ESP, and stricter requirements for certification and artifact retention. As the phased rollout begins in late 2024, staying informed and compliant will be critical to maintaining eligibility for defense contracts.
To prepare for these changes, contractors should:
- Assess current readiness and begin planning for third-party assessments where required.
- Ensure POA&Ms are completed within the 180-day window for any conditional certifications.
- Establish internal processes for hashing and retaining artifacts for six years.
- Engage with subcontractors to ensure compliance across all tiers of the supply chain.
CorpInfoTech is a CMMC level 2 compliant MSP that offers IT, cybersecurity, and compliance solutions to SMBs. Through TAS for CMMC Compliance, contractors will gain access to enterprise level tools and expertise that makes achieving and maintaining compliance much more efficient.
Get Your Personalized Answers to Your CMMC Compliant Questions - Let’s Have a CMMC Conversation