CMMC 32 CFR Enters Federal Register on 10/15/24: What It Means for Contractors

Understanding the New Legal Framework for Cybersecurity

On October 15, 2024, the Cybersecurity Maturity Model Certification (CMMC) 32 CFR regulation will officially enter the Federal Register, marking a significant milestone in the legal landscape for defense contractors and subcontractors.
What You Need to Know:

• This regulation establishes a comprehensive framework to ensure contractors are equipped to protect Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) and have implemented necessary security measures.
• By formalizing the CMMC program, the Department of Defense (DoD) aims to standardize cybersecurity practices across the defense industrial base, moving away from self-attestation models to a more rigorous certification process.
• This shift reflects the evolving cybersecurity threats and underscores the DoD's commitment to protecting national security through stringent cybersecurity standards.

Resources that can support your organization as you navigate CMMC compliance:

• CMMC Command Center 
• CMMC Readiness Questionnaire
• Countdown To CMMC

Implications for Defense Contractors and Subcontractors

The implications of 32 CFR on the Defense Industrial Base are profound. The finalization of this rule implements a simplified, yet rigorous set of regulations defense contractors will have to follow to be awarded defense contract. The three maturity levels are: 

• Level 1 - Foundational: 17 basic cybersecurity controls, outlined in FAR 52.204-21, focused on protecting Federal Contract Information. Contractors at this level need to undergo an annual self-assessment.
• Level 2 - Advanced: Requires contractors to implement the controls outline in Level 1 as well as all 110 controls and 320 objectives outlined in NIST 800-171a rev2, focused on protecting Controlled Unclassified Information. Level 2 contractors will need to verify their compliance posture through a triennial, third-party assessment by a CMMC 3rd-Party Assessment Organization (C3PAO).
• Level 3 - Expert: Level 3 is the highest tier of CMMC certification, building on the requirements of Levels 1 and 2, along with 24 additional controls selected from NIST SP 800-172. Organizations at this level must implement advanced security measures such as continuous monitoring and threat detection. They must also undergo a multi-year government-led assessment to ensure robust protection of sensitive information.

CMMC 2.0 is one of, if not the most, consequential cybersecurity regulations to be implemented within the Defense Industrial Base - standardizing and verifying cybersecurity posturing across the defense supply chain.

Navigating the Tiered Certification Requirements

The CMMC framework is structured as a tiered model, requiring varying levels of cybersecurity maturity based on the sensitivity and type of information handled. One of the biggest changes from CMMC 1.0 to 2.0 is the implementation of third-party assessments at Level 2 of CMMC 2.0. The Defense Industrial Base is largely comprised of small-to-medium sized businesses (SMBs), who may not be as resource-rich as larger, Prime contractors. More stringent 

For contractors (especially SMBs) who handle CUI, understanding and navigating these requirements is crucial for securing new contracts. The regulation outlines clear guidelines on how to achieve Level 2 certification and what to expect during a C3PAO audit. That said, it will likely require an investment of time and resources. With 32 CFR finalization expected at sometime in mid-December, start budgeting and planning for CMMC-related activities in 2025. Early preparedness is a great way to position your business at a strategic advantage for new contract.

What should your next steps be

Make sure your investment in compliance aligns with your overall strategic goals.

Compliance is the key to unlocking new contracts. It's no longer a box-checking exercise, it's a true opportunity to gain a competitive edge over less proactive subcontractors and can enhance your positioning with Prime contractors. Take the time to see how your business currently operates within the DIB, what your goals are in the short and long-term, and incorporate your targeted compliance maturity levels into these conversations/planning sessions.

Begin Adding cmmc-related costs into your 2025 budget

CMMC 2.0 is going to require an investment, and that investment is going to look different for each organization depending on their current cybersecurity posturing. That said, finalization of 32 CFR is coming at an ideal time as many contractors are working on their 2025 budgets. It is imperative to include CMMC-related expenses into your 2025 budget work. A few line items to keep in mind are: 

• More cybersecurity tools and trainings
• C3PAO assessment expenses (roughly around $30,000)
• Additional internal or external support (MSP contracts)

Some of these items can even be incorporated into your proposals to Primes. Pro tip: Primes are expecting your prices to go up a bit to account for enhanced security measures. You are well within your right to roll some of these costs into your future proposals... they want to see you making the investment!