May 20, 2024

Breaking News: 171/A R3 final released, CMMC 48 CFR rule sent to OMB

Big things are afoot this month! First the DoD issued a class deviation for NIST P 800-171r2 on May 2, just before NIST released R3 of 800-171 and 800-171A on May 14. Thankfully, because of the class deviation, the heat is off for immediate implementation of R3, but it definitely needs to be on your radar screen, especially if you are making any significant changes to your informatoin systems.

Meanwhile, the DoD showed once again that it's serious about getting the CMMC train moving down the tracks, as it sent the proposed new 48 CFR CMMC rule to the OMB on Wednesday, May 15.

This rule updates the original CMMC clause (252.204-7021) in the interim final rule published in September 2020, and will implement the CMMC Program (defined in the 32 CFR rule). When the 48 CFR rule becomes final, CMMC is officially "live."

How does this affect your implementation timeline? Best guess is that the 32 CFR rule will become final by the end of 2024, opening up the possibility of official CMMC assessment by C3PAOs. The 48 CFR rule most likely will become final in the first half of 2025, at which point self-attestation for both L1 and L2 is required for new awards, marking the start of the 6-month countdown to requiring official assessment for L2 for new contract awards.

Don't delay your implementation! If you need help, you know where to find me!

How old is your SPRS self-assessment score? Might want to review this.

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!