CMMC has Changed Directionthe Department of Defense announced a significant change in direction while maintaining the goal of safeguarding sensitive information.

cybersecurity

Overview of CMMC 32 CFR Changes and Their Implications

Title: CMMC 32 CFR Changes: What You Need to Know

Introduction: The U.S. Department of Defense (DoD) has made recent updates to the Cybersecurity Maturity Model Certification (CMMC), implementing new regulations under 32 CFR that enhance the security standards for organizations within the Defense Industrial Base (DIB). These changes are designed to ensure organizations can adequately protect sensitive government data against escalating cyber threats, safeguarding both national security and critical business information.

Understanding the CMMC 32 CFR Updates: The new CMMC 32 CFR regulations outline mandatory requirements for DoD contractors, emphasizing the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Organizations must now align with updated assessment and reporting practices, providing greater accountability, and adherence to the NIST SP 800-171 standards, particularly in data protection and cybersecurity risk management.

Key Changes in CMMC 32 CFR:

  1. Expanded Scope for Compliance: All defense contractors handling CUI and FCI are required to comply with enhanced CMMC standards, ensuring improved security measures across all levels.
  2. Enhanced Certification Process: Organizations must undergo a more rigorous certification process. This includes third-party assessments and a more comprehensive review of their cybersecurity controls.
  3. Alignment with NIST SP 800-171: The CMMC framework now emphasizes a more robust alignment with the NIST SP 800-171 standard, integrating enhanced control requirements for handling sensitive information.
  4. Continuous Monitoring and Reporting: Regular cybersecurity audits, continuous threat monitoring, and prompt reporting of any security incidents are now mandatory to maintain compliance.
  5. Focus on Risk Management: The new changes emphasize proactive risk assessment and management, urging organizations to identify, assess, and mitigate cybersecurity risks continually.

What These Changes Mean for Organizations Seeking Compliance: The CMMC 32 CFR update brings tighter security obligations that may present challenges for many businesses, but with these requirements come opportunities to strengthen cybersecurity postures. By meeting these updated requirements, organizations can build stronger defenses, reducing the risk of breaches and enhancing trust with federal clients. AG Grace, Inc. can assist you in navigating these updates effectively, aligning your cybersecurity framework with DoD requirements.

What is the difference between a CMMC self-assessment, and a basic assessment required as part of the DoD Assessment Methodology?

What These Changes Mean for Organizations Seeking Compliance: The CMMC 32 CFR update brings tighter security obligations that may present challenges for many businesses, but with these requirements come opportunities to strengthen cybersecurity postures. By meeting these updated requirements, organizations can build stronger defenses, reducing the risk of breaches and enhancing trust with federal clients. AG Grace, Inc. can assist you in navigating these updates effectively, aligning your cybersecurity framework with DoD requirements.

AG Grace, Inc. CMMC Compliance Services: With years of experience in implementing NIST SP 800-171, AG Grace, Inc. offers tailored CMMC compliance services that meet the specific needs of your organization. Our experts are here to help you achieve compliance through assessments, strategic advisory, and comprehensive solutions designed to secure your business.

Contact Us: For a tailored approach to meeting the updated CMMC 32 CFR standards, contact AG Grace, Inc. today. Let us guide you through the complexities of compliance to ensure your organization meets all requirements and remains secure.

The major changes to the original publication of the CMMC Program include:

  1. Reduction of Levels: The original five levels have been reduced to three:
    • Level 1 remains the same
    • Level 2 is similar to the original Level 3.
    • Level 3 is similar to the original Level 5.
  1. Exclusive Implementation of NIST Standards: The revised program exclusively implements National Institute of Standards and Technology (NIST) cybersecurity standards and guidelines.
  1. Self-Assessments:
    • Level 1 allows for annual self-assessments with an annual affirmation by company leadership.
    • A subset of companies at Level 2 can demonstrate compliance through self-assessment rather than C3PAO assessment.
  1. Department-Conducted Assessments: Level 3 requires assessments conducted by the Department.
  1. POA&M Process: A time-bound and enforceable Plan of Action and Milestones (POA&M) process has been developed, allowing conditional certification under limited circumstances.
  1. Increased Oversight of Assessors: There is increased oversight of the professional and ethical standards of CMMC third-party assessors.
  1. Implementation Phase Extension: Phase 1 has been extended by an additional six months.
  1. New Taxonomy: Differentiates the level and type of assessment conducted from the CMMC Status achieved as a result.
  1. Clarification of DoD’s Role: Added clarification regarding the DoD’s role in the achievement or loss of CMMC Statuses.
  1. Automatic Updates in SPRS: CMMC Status will be automatically updated in SPRS for OSAs who have met standards acceptance.
  1. Conflict of Interest: Expanded the cooling-off period for the CMMC Accreditation Body to one year and bounded the timeframe between consulting and assessing for the CMMC Ecosystem to three years.
  1. Reporting Adverse Information: Added a requirement for CMMC Ecosystem members to report adverse information to the CAICO.
  1. Provisional Instructor Role: Added to cover the transitional period that ends 18 months after the effective date of this rule.
  1. CCI Certification: Clarified that a CCI must be certified at the same or higher level than the classes they are instructing.
  1. Artifact Retention: Added a requirement for artifact retention to Level 1 self-assessments and Level 2 self-assessments.
  1. Reduced Assessment Requirements for ESPs: The assessment requirements for External Service Providers (ESPs) have been reduced.
  1. Narrowed Definition of CSP: The definition of Cloud Service Provider (CSP) has been narrowed and is now based on NIST SP 800-145 Sept2011.
  1. Reduced Requirements for Security Protection Assets and Data: The assessment requirements for Security Protection Assets and Security Protection Data have been reduced.
  1. FedRAMP Equivalency: References to FedRAMP equivalency have been tied to DoD policy.
  1. Clarified CSP Requirements for Level 3: Clarified the requirements for CSPs for an OSC seeking a CMMC Status of Level 3 (DIBCAC).
  1. Limited Checks by DCMA DIBCAC: Clarified that DCMA DIBCAC has the authority to perform limited checks of compliance of assets that changed asset category or changed assessment requirements between the Level 2 and Level 3 certification assessment.
  1. VDI Clients: Clarified the requirements around the use of Virtual Desktop Infrastructure (VDI) clients.
  1. Distinction Between POA&Ms and Operational Plans: Provided clarification to distinguish between Plan of Action & Milestones (POA&Ms) and operational plans of action.
  1. New and Updated Definitions: Added definitions for terms such as Affirming Official, Assessment objective, Asset, CMMC security requirement, CMMC Status, DoD Assessment Methodology, Enduring Exception, Operational plan of action, Personally Identifiable Information, Security Protection Data (SPD), and Temporary deficiency.

Some definitions were also changed to source from NIST documentation instead of Committee on National Security Systems (CNSS) Instruction No.  4009.

 

The framework has three key features:

Tiered Model

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

Assessment Requirement

CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation through Contracts

Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC Model