32 CFR Part 170 Key Takeaways

From Cooey Wiki

Introduction

On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" is published to the Federal Register. Effective 60 days later, the CMMC program is in effect.

Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version.

Link to the PDF: https://public-inspection.federalregister.gov/2024-22905.pdf

Link to the FAR: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program

Timelines

The Final Rule codifies that Joint Surveillance Voluntary Assessments (JSVAs) will equate to a CMMC Level 2 certification, assuming the organization received a perfect 110 score.

DoD projects a 7-year timeline with a 4-year phased roll-out, initially.

In FY2025, DoD will primarily be requiring self-assessments. There will be approximately 500 expected third-party certifications required on contracts the first year.

CMMC self-assessments must have a score of 88 or more to "pass" and be compliant. The Affirming Official (formerly a "Senior Official" will need to affirm that the reporting is accurate. Affirming this score carries personal criminal fraud risk, and affirmations may be verified in a third party assessment later.

In FY2026, that 500 grows to about 2500 and by FY2027, about 9000. By FY2028, DoD anticipates 16,000 third-party certifications needed a year.

By the end of the rollout, the numbers projected by DoD are 4,000 self-assessed and 76,000 assessed by a Certified Third Party Assessment Organization (C3PAO).

Many DIB contractors (and sub-contractors) can expect to be required to self-assessment, per contract and purchase order flow-down requirements.

It's important to note that DoD has the discretion to delay the certification requirement to an option period instead of the condition of "upon contract award." While it's not expected this will be taken advantage of often, this does give DoD flexibility on specific programs that may have unique challenges to supply chain partners becoming certified.

Additionally:

"The CMMC Program’s assessment phase-in plan, as described in § 170.3, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts."

Security Protection Data

When Cloud Service Providers (CSPs) only handle security protection data (SPD), and not CUI, the application or service would be treated like a security protection asset (SPA).

Security Protection Assets

The Final Rule now suggests that Security Protection Assets (SPAs) will be assessed against security requirements that are "relevant to the capabilities provided."

"If an OSA utilizes an ESP, including a Cloud Service Provider (CSP), that does not process, store, or transmit CUI, the ESP does not require its own CMMC assessment. The services provided by the ESP are assessed as part of the OSC’s assessment as Security Protection Assets."

External Service Providers

The Final Rule clarifies the difference between Cloud Service Providers (CSPs), External Service Providers (ESPs), and Managed Service Providers (MSPs).

The requirement for ESPs (regardless of the services it provides) to be CMMC-Certified is no longer a requirement. However, an MSP, acting as an ESP, may choose to become CMMC-Certified.

The Final Rule suggests that Organizations Seeking Certification (OSC) may inherit controls for External Service Providers (ESPs) in scope when the ESP is CMMC-Certified.

Managed Service Providers

The Final Rule clarifies that Managed Service Providers (MSPs) do not need FedRAMP Moderate to support an Organization Seeking Certification (OSC).

The Rule also allows MSPs to get CMMC certified to avoid being re-assessed for every client.

FedRAMP & Equivalency

FedRAMP Moderate authorization is required when CUI is stored, processed, or transmitted in a cloud service offering.

There is still some question on the commentary and verbiage, but there is clarity in that a CSP only handles security protection data (SPD), and not CUI, therefore, the application or service would be treated like a security protection asset (SPA).

Virtual Desktop Infrastructure

Virtual Desktop Infrastructure (VDI) language was added to remove the endpoint from scope if the endpoint is not processing, storing, or transmitting CUI.

Assuming appropriate technical controls prevent data transfer, the "dumb client" (or the computer you open the virtual desktop from) can be kept out of scope. It was previously assumed that they would need to be at least a Contractor Risk Managed Asset (CRMA).

Assessors and the Training Community

The minimum number of assessors per third-party assessment has been expanded from 2 to 3. Additionally, at Lead CMMC Certified Assessor (CCA) is required and at least one other CCA. This will likely increase the projected costs of assessments.

CMMC instructors are now prohibited to also consult. Additional clarification is expected on this.