CMMC’s New Rule Has Finally Arrived

7 Key Takeaways to Help You Move Forward

By: Cole French, Director of Cybersecurity Services and CMMC Capability Lead, Kratos Defense & Security Solutions and host of the Cyber Compliance & Beyond podcast.
Published: November 5, 2024

The long-awaited CMMC rule was published on October 15, 2024. It’s quite voluminous and covers a lot of ground with the pre-publication draft coming in at over 400 pages. To help understand the changes… and non-changes… we’ve summarized 7 key takeaways to make confident compliance easier. The government did much to help in the new rule, but open issues remain that would benefit from further clarification and for which you may want further guidance to navigate.

1. External Service Providers (ESP) are no longer required to achieve CMMC certification in all circumstances.

The most consequential change in the final rule is the applicability of CMMC to ESPs. If you’re new to CMMC, ESP doesn’t mean you can read minds, it refers to external people, technology, or facilities that an organization uses for provisioning and management of IT or cybersecurity services on behalf of the organization. For help with CMMC’s many acronyms, simply click on the term in this article for a definition.

In the draft rule, all ESPs were required to achieve CMMC certification. There was significant outcry, and the DoD listened. The final rule addresses these ESP scenarios:

1. For any Organization Seeking Assessment (OSA) that use established connections to an ESP’s systems, those systems must be addressed as part of the Assessment Scope.
2. If an ESP connects to an OSA’s virtual desktop infrastructure (VDI) solution the ESP is not in the Assessment Scope, as long as the VDI is configured to only allow keyboard and mouse input.
3. In the case of ESP staff augmentation to the OSA, if the OSA provides their own policies and procedures to the ESP staff, the ESP is not in the Assessment Scope. However, if an ESP is functioning as a Security Protection Asset (SPA) and not processing, storing, or transmitting Controlled Unclassified Information (CUI), the ESP is part of the Assessment Scope.

Simple?

Tip: OSAs should quickly take the first step to evaluate your use of ESPs in light of these scenarios to determine which ESPs must be included in the Assessment Scope.

2. Cloud Service Providers (CSP) do not require FedRAMP Moderate Authorization.

The original Defense Federal Acquisition Regulation Supplement (DFARS) required that CSPs be “FedRAMP Moderate or equivalent.” The problem there was the word “equivalent,” which was never defined. In response, DoD issued a FedRAMP Equivalency memo in late 2023, which defined equivalency stringently. In a nutshell, it required that CSPs either maintain FedRAMP Moderate or higher Authorized status or comply with equivalency requirements defined in the memo.

Unfortunately, the equivalency requirements presented new challenges. For one, they were more difficult to achieve than FedRAMP authorizations. For another, many OSAs wrestled with how to work with their CSPs when those CSPs are also acting as SPAs. (So many acronyms!).

Where the earlier draft rule and DoD policy were unclear because they did not exclude SPAs that were only providing security protection (and not processing, storing, or transmitting CUI), the final rule responds to public comment by stating directly: “[i]f the offering does not process, store, or transmit CUI, then FedRAMP certification is not required.”

Tip: This is significant for organizations leveraging cloud-hosted SPAs that are not FedRAMP authorized. If these SPAs are not processing, storing, or transmitting CUI, OSAs can continue to use them and avoid the costly migration to a FedRAMP authorized SPA. It is important to remember, however, that these SPAs are still in scope for an assessment.

3. Security Protection Data (SPD) is a new and significant term.

Just what we needed, another acronym! The DoD coined the term SPD as an integral part of the pathway they created to limit the requirements on ESPs. SPD is defined as:

… data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment. SPD is security relevant information and includes but is not limited to:

• configuration data required to operate an SPA,
• log files generated by or ingested by an SPA
• data related to the configuration or vulnerability status of in-scope assets,
• passwords that grant access to the in-scope environment.”

Tip: Clearly, responses here will depend upon specific implementation criteria. OSAs should review your unique needs and operations with this definition in mind to evaluate your SPAs and the depth to which they are in scope for an assessment.

4. New triggers for re-assessment.

Systems are rarely static, often undergoing many and various changes over time, both large and small. While the rule doesn’t explicitly define the triggers for a re-assessment, DoD addressed the topic in their public comment responses, stating, “A new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope.”

That covers a lot of ground; however DoD provided two examples: “expansions of networks or mergers and acquisitions.”

Conversely, examples of changes that would not require a re-assessment were also given: “[o]perational changes within an Assessment Scope, such as adding or subtracting resources within the existing assessment boundary that follow the existing SSP.”

According to DoD, operational changes are covered by the required annual attestation of compliance.

Tip: Although no one has a crystal ball, OSAs should think through current plans that might trigger re-assessment based on these loose examples and, if appropriate, set periodic milestones to review strategic plans which could potentially trigger re-assessment, then seek expert advice.

5. ‘Enduring exceptions’ and ‘temporary deficiencies’ are new and helpful terms.

The term Enduring Exception has been introduced as “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.”

According to DoD, “examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be enduring exceptions.”

These exceptions must be described in an OSA’s System Security Plan (SSP), along with any mitigations to be marked as met during an assessment.

Temporary Deficiency is also a welcome addition because it directly addresses another long-term source of confusion: the handling of deficiencies (often referred to as vulnerabilities) that are discovered after implementation and during operation.

The new rule defines a Temporary Deficiency as “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational POA.”

Tip: Review any known or suspected deficiencies as soon as possible and develop POAs. As long as a deficiency isn’t endemic to the system as a whole, the system can continue operating in a compliant state if there is a POA to address it.

6. Continuous monitoring presents risks to OSAs.

CMMC certification, or “status,” is valid for three years. There has been an understanding in the community that some form of continuous monitoring would eventually be required. The rule did so, defining the continuous monitoring requirement as an annual attestation of continuing compliance.

While this is less than the ecosystem desired, it does come with teeth. DoD set up a very specific structure and requirements for the attestation of compliance, and it opens OSAs and their Affirming Officials to the rules of the False Claims Act. Violations of the False Claims Act can result in punitive damages against both the OSA and the Affirming Official that signs the attestation of continuing compliance. Other penalties may include suspension or debarment or the loss of contracts.

Tip: Even though a formal annual assessment (either a self-assessment or C3PAO assessment) is not required, OSAs should build them into their implementations of CMMC. OSAs that can bear the cost would also be wise to leverage a C3PAO or Registered Provider Organization (RPO) as part of their continuous monitoring activities. Doing either or both will offset the risks presented by the annual attestation of compliance.

7. CUI marking and handling guidance remains the same.

The DoD declined to provide additional CUI guidance or supporting materials to industry, declaring that such guidance is outside the scope of the CMMC rule.

This really isn’t surprising. The intent of the rule is to define the CMMC program. CUI marking and handling is a bigger issue that is best addressed elsewhere. The problem that industry is facing, however, is the implementation of the existing policy, guidance and procedures.

The government is responsible for stipulating within each contract whether or not a particular item is CUI and, more importantly, for marking it as CUI. It’s an open secret, however, that CUI is not always marked appropriately.

By law, OSAs are not permitted to mark documents as CUI if the government has not done so. As a result, the de facto procedure in these instances is to protect the information as if it were CUI.

Unfortunately, that leads to a bigger problem because controls within the CMMC framework require the specific application of security to information that is CUI. As a result, a lack of clarity on CUI marking has cascading impact requiring OSAs to guess, thereby opening the door to potentially co-mingling data thought to be CUI with data that actually is CUI.

In Short: Improvements in the implementation CUI marking and handling is badly needed–starting with the government–and will drive CMMC’s effectiveness is achieving its primary mission of enhancing the protection of CUI. OSAs will have to remain vigilant and seek advice from their experts and government customers.

---

The new CMMC rule has gone a long way in addressing the top concerns of the CMMC community; however, additional clarification would be useful and, hopefully, will be forthcoming. It does provide much needed direction for organizations to get started and proceed further toward compliance. Every network, system and service is unique, of course. If you have additional questions or are seeking advice, get assistance by contacting us and subscribe to the Cyber Compliance & Beyond podcast where CMMC is a regular topic, as are other cybersecurity compliance topics for business including FedRAMP, HIPAA, and more.

This article is intended to provide only general guidance about the topics discussed. Neither the author nor Kratos Defense & Security Solutions is providing specific guidance or advice that the reader may the rely on, and the author and Kratos Defense & Security Solutions disclaim any liability arising from such reliance.