Aerospace Companies: A Big CMMC Rulemaking Development Took Place at Year-End

Businesses in Regulated Industries Compliance

In case you missed it, the CMMC program under the Department of Defense took a significant step forward with the publication of the CMMC Proposed Rule in the Federal Register. This action opened a 60-day public comment period that started on December 26th.

Anticipated to be integrated into contracts by Q3-Q4 2024, this development finally marks real progress toward the enactment of the CMMC initiative that is meant to enforce healthy cybersecurity practices across America’s defense contractors.

Here are six key takeaways from the Proposed Rule:

  1. CMMC finalization is imminent, requiring defense contractors to attain CMMC certification specified in their contracts by the time of award. Failure to obtain certification may render contractors ineligible for future contracts, potentially breaching existing agreements.
  2. Security controls at CMMC Level 2 will align with the 110 controls in NIST SP 800-171 R2, continuing the requirements that have been in place for several years. The difference going forward is that self-attestation will soon no longer be enough; covered companies will have to pass CMMC audits.
  3. The majority (95%) of organizations seeking CMMC Level 2 certification will need assessments by accredited C3PAOs every three years, as estimated by the Department of Defense.
  4. Joint Surveillance Voluntary Assessments (JSVA) results, specifically 110/110 scores, will be directly transferable to CMMC Level 2 certification if achieved without open POAMs.
  5. FIPS validated cryptographic modules must be used for encryption protecting Controlled Unclassified Information (CUI) to support CMMC Level 2 certification.
  6. Common commercial email systems like O365 are not compliant with DFARS 252.204-7012 (c)-(g), necessitating organizations to seek attestation from CSPs regarding their compliance.

The 60-day comment period, initiated on December 26th, allows stakeholders to provide feedback until February 26, 2024. After the comment period concludes, the Department of Defense will review and respond, with the Final Rule expected to be published late this year.

It is now crucial for contractors to prepare for CMMC, as the phased rollout does not necessarily imply extended timelines for certification achievement. Matt Travis, CEO of the CyberAB, says waiting for protracted rulemaking is a risky approach, and organizations should proactively enhance their cybersecurity posture to align with CMMC Level 2 requirements.

The good news is, now we know that simply mirroring NIST SP 800-171 is the target for CMMC Level 2. Why it took countless delays, multiple leadership changes and more than 6 years to get here is still a mystery, but at least we now have clarity. Well, 99% clarity that is (pending comments).

If you’re a defense contractor that has been putting off CMMC compliance preparation, you’ve frankly been acting rationally due to all the past delays.

That said, you are also technically out of compliance if you haven’t submitted your self- assessment score along with your SSP and POAMs. But you also knew that unless one of your primes really pushed down on you, which they’ve mostly stopped doing, no one was going to audit your cybersecurity compliance practices.

With the publishing of the Final Rule, however, it does now make sense to start getting into CMMC compliance because those audits will finally arrive.

While the average small company in the Defense Industrial Base (DIB) is told to anticipate a 12-18 month preparation period for CMMC assessment, we believe our solution set here at KaufmanIT can not only shorten that timeline dramatically, but also meaningfully rein in costs along the way.

If you are a defense contractor and would like to learn about the one-of-a-kind CMMC solution set KaufmanIT has crafted for its clients in this industry, contact us for more information.

Privacy Policy | ©2024 KaufmanIT, Inc.

Log in with your credentials

Forgot your details?