What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

October 15, 2024

CMMC Program Final Rule (32 CFR 170) Published

The rule itself (public inspection version released Friday) is 87 pages long, and came with 383 pages of comments, which provide additional insight into DoD's intent (as well as a fair bit of entertainment). The rule will become effective December 16, 2024. I have only had a chance to do a quick skim, but overall I'm pleased that the DoD did back off on some of the more onerous aspects of the proposed rule.

Here are my hot takes:

Virtual Desktop Infrastructure (VDI) endpoints may now be out of scope."An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI/CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out-of-scope. There are no documentation requirements for out-of-scope assets." This is great news for organizations that invested in VDI to reduce their scope. (Note: If you can save CUI locally, to print for example, that endpoint is a CUI Asset and will be assessed against all practices.)

Security Protection Assets need only be assessed against "relevant" practices. You should "Prepare to be assessed provided against CMMC Level 2 and Level 3 security requirements" but there will be only a "limited check" against security practices that are "relevant to the capabilities provided". Again, this is great news for organizations that have invested in security tools which are not FedRAMP Moderate authorized or equivalent.

CMMC Certification not strictly required for MSPs. (But ...) The changes in requirements related to External Service Providers (ESPs) and Security Protection Data (SPD) are complicated. The short version is that many MSPs will not need L2 certification as previously expected, but they are still in scope for their OSC clients' assessments. More details and analysis of this in a future update.

Artifact retention required for self-assessments. I suspect this one will surprise a lot of people: ""The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date." This quote is referring to a L1 self-assessment, and is repeated for L2 self-assessments. This means that your self-assessment is expected to be just as rigorous as an official third-party assessment would be, with proof of having met every assessment objective (AO) for every practice at that level. If DIBCAC comes a-calling one day, they will expect to see evidence of your annual (L1) or triennial (L2) self-assessments. That's a lot of artifacts to develop and maintain.

The definition of Cloud Service Provider now matches NIST SP 800-145. Thank goodness for this one! Many people (including me) commented that the definition of CSP in the proposed rule was far too broad, and suggested using the NIST definition instead. DoD listened.

Implementation Phase One increased to 12 months. The phased rollout has been extended a bit, with the first phase now lasting 12 months rather than six. Here's an updated chart showing an estimated timeline, if the 48 CFR rule becomes final in the spring as expected.

April 1, 2025ALL DoD contracts will require self-assessment and affirmation for both L1 and L2 at the time of award
April 1, 2026Official L2 certification required for new contracts
April 1, 2027Official L2 certification required to exercise options on contracts awarded prior to effective date of the rule
Official L3 certification required for new contracts
April 1, 2028Official L2 and L3 certifications required for all options on all contracts

Primes will be pushing for certification faster. Fair warning: if you do work for prime contractors, they will be pushing for you to become CMMC compliant faster than the phased implementation schedule in the rule. I've heard of primes sending out emails within hours of publication.

If you need help with your CMMC compliance program, I'm here! email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy