January 17, 2024
Comments on the proposed new CMMC rule
I spent some time this past week drafting comments on what I consider the most worrisome aspect of the new CMMC rule: scope creep and its impact on the cost of CMMC. You can read the entirety of my comments at https://www.regulations.gov/comment/DOD-2023-OS-0063-0042 but I'll give you a summary here:
The combination of three things in the proposed rule has greatly expanded the scope of compliance, and thus the burden of effort and cost:
- The newly-created data type "Security Protection Data" (SPD) which needs to be protected at the same level as CUI, although it is not in fact CUI.
- Requiring "External Service Providers" (ESPs) to be CMMC L2 certified if they process, store or transmit either CUI or SPD.
- Defining "Cloud Service Provider" (CSP) so broadly as to encompass many non-cloud models of hosting data and applications.
I urge everyone to read the proposed rule and submit comments on these and any other aspects that you believe need to be changed. DoD needs to hear the voices of the Defense Industrial Base -- everyone, not just the mega primes. Regulations.gov has a very useful tip sheet for comments, including these:
- Read and understand the regulatory document you are commenting on (Remember that you are commenting on the CMMC assessment program, not on the requirements of NIST 800-171)
- Be concise but support your claims
- Base your justification on sound reasoning, scientific evidence, and/or how you will be impacted
- Address trade-offs and opposing views in your comment
- There is no minimum or maximum length for an effective comment
- The comment process is not a vote -- one well supported comment is often more influential than a thousand form letters
The more people who comment effectively, the better the chance of getting some relief.
Meanwhile, if you need help with your CMMC preparation, you know where to find me!
Want more information? Check out my upcoming virtual CMMC workshops: | |
Wednesday, February 28, 2024 |
Tuesday, March 5, 2024 |
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!