CMMC Update by Glenda R. Snodgrass for The Net Effect (January 21, 2025)

[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

January 21, 2025

800-171 is bustin' out all over!

Two proposed new rules were published in the Federal Register last Wednesday, one from FEMA and a new FAR CUI rule proposed jointly by GSA, DOD and NASA to apply all federal government contractors, for all agencies.

The proposed FEMA rule is interesting because not only does it require implementation of 800-171r3 (not r2) but states "Such implementation must be validated by a third-party assessment organization." Fortunately for the general populace, this rule applies to a very small group (private insurers who participate in the flood insurance program) but the recognition that self-attestation doesn't work is pretty big IMO. Will CMMC be adopted by all agencies? DOD sure wants that to happen.

Far more interesting, with wide-ranging applicability, is the proposed new FAR CUI rule. It applies to all federal government contractors and their subs, for all agencies, and the only exemption is for Commercial Off The Shelf (COTS) products. Even the Simplified Acquisition Threshold (SAT) is not exempt from this one.

It's hardcoded to 171r2, just like CMMC. We're getting some new clauses, some new definitions, and some clarifying language for old definitions. I'll be writing about several of these points in the coming weeks, but two things jumped out at me: accountability and anticipated cost.

Accountability

What I *love* about this rule is its strong focus on requiring contract officers to clearly identify CUI in RFPs and contracts. There's a new form, SF XXX (to be named) which will be the cover sheet for all new contracts, with a Yes or No box that must be checked to indicate the presence of CUI. But wait, there's more!

(i) When agencies acquire products and services subject to 32 CFR part 2002, Controlled Unclassified Information (CUI) (see 4.403), the SF XXX, Controlled Unclassified Information (CUI) Requirements, must be incorporated in the contract and must identify, at a minimum—
(1) The CUI the contractor will handle in performance of the contract;
(2) Any CUI access and dissemination requirements placed on the contractor during performance of the contract;
(3) Federal and non-Federal information systems the contractor will use to handle CUI in the performance of the contract;
(4) System security and privacy requirements for each information system, as appropriate, and any additional security and privacy measures required by the agency;
(5) Any instructions for handling CUI during performance of the contract;
(6) Any CUI training requirements the contractor must adhere to in order to comply with 32 CFR 2002.30; and
(7) Any CUI incident reporting instructions required by the agency, to include the agency website or single point of contact.

Doesn't that sound wonderful? Clarity in a contract? No more guessing what is CUI or not?

Anticipated cost

Over and over, when I speak with prospective new clients, one of the first things I hear is "How much will this cost?" The answer, of course, is "It depends" but when pressed, I generally answer in hand-waving terms, initial implementation of 800-171 for SMBs is in the low- to mid-six figures, with annual maintenance of $50-100k. Many of my colleagues have been using the same numbers for several years now. I am often greeted with looks of horror and disbelief, but whaddya know? Vindication. In the preamble to the proposed FAR CUI rule, for the first time ever, we have an official USG estimate of the cost to implement and maintain an 800-171 compliant system:

A contractor may need to depend on the expertise of information security specialists to develop and document processes and procedures associated with each security requirement, perform the periodic scans, tests, and assessments necessary for some of the security requirements, and analyze the results. The amount of time necessary to perform the various tasks will vary by contractor depending on the number of employees and the complexity of its information systems. Some contractors may already have personnel performing some of the functions as a matter of good business practice to protect their networks, while others may be starting with no in-house expertise.

How much does USG expect this will cost? For small biz, $175,700 to implement and $104,940 annually to maintain. These figures include both labor (which can be internal, outsourced or some combination of the two) and products (hardware, software, services). For "other than a small business" those figures go up to $683,400 for the first year and $575,140 annually.

Ouch. These are of course new costs for non-DOD contractors because this is a new requirement, but DOD contractors are expected to have already implemented 800-171.

Whew. It looks like all of USG has finally gotten serious about securing CUI. Are you ready? Call if you need help! Or sign up for my virtual CMMC workshops to learn more about what you need to do.