The U.S. Department of Defense’s CMMC final rule was released on Oct. 15, 2024.
Key takeaways
CMMC cybersecurity requirements are complex, and defence contractors should start preparing now.
Companies must monitor several requirements to meet the new cybersecurity standards.
The U.S. Department of Defense (DoD) released a new Cybersecurity Maturity Model Certification (CMMC) final rule on Oct. 15, 2024, outlining a framework to strengthen cybersecurity requirements for defence contractors. CMMC applies to Canadian-based firms doing business with the U.S. DoD. The final rule is complex, and defence contractors should start preparing now to understand and prepare for new requirements.
Here are five key requirements to monitor now that the rule is has been released:
1. Phased implementation
The CMMC final rule goes into effect December 2024. Organizations seeking certifications (OSC), accessors and members of the defence industrial base (DIB) are expected to adhere to final requirements through a four-phased implementation rollout.
Why it matters?
- Implementation, certification and enforcement requirements in the rule will be in effect as of December 2024. The final rule extends the duration of Phase 1 from six months to one year to allow the DIB time to ramp up and implement the rule’s final requirements. Successive phases two, three and four commence annually thereafter.
- This will create challenges for OSCs and cybersecurity personnel in the ecosystem that are not fully aware of or prepared for certifications, creating resource constraints, increased workload and pressures from the market for quick implementation.
What can you do?
- If you have already completed a readiness or gap assessment, review your gap listing or plan of action and milestones (POA&M) to ensure timely remediation. Consider assistance from a qualified CMMC third-party assessor organization (C3PAO) resource, like RSM, to help expedite identification and remediation of potential gaps or provide a qualified external assessment.
2. External services provider certification requirements
External service providers (ESPs) that do not process, store or transmit controlled unclassified information (CUI) are exempt from CMMC certification.
Why it matters?
- An ESP may not be as mature in the certification journey as an OSC. This distinction allows some ESPs to continue operating without certification, reducing compliance burdens based on the nature of their services.
What can you do?
- Validate the services of ESPs within your boundary and enhance or enforce logical and physical controls to prevent sharing CUI (where possible). Not sure how to get started? RSM’s integrated CMMC services team can validate the flow of CUI/covered defence information throughout your boundary and help develop risk management practices to manage ongoing ESP compliance.
3. POA&Ms allowance
OSCs must achieve at least an 80% compliant rating against the 110 security requirements in order to obtain a confidential certification. That said, within 180 days, each open item must undergo and pass a POA&M closeout assessment to achieve full compliance.
Why it matters?
- This requirement enables OSCs to adapt to emerging threats and implement operational improvements within their cybersecurity programs. Validating remediation is a core tenet of effective risk management and continuous monitoring.
What can you do?
- Implement a risk management program and accountable party to ensure that POA&Ms are identified in real time and a proactive remediation strategy is designed and implemented within the 180-day period.
4. No exemption for international contractors
Domestic and international organizations will be subject to the same CMMC requirements. No additional time or special accommodations or tailoring will be granted to international contractors.
Why it matters?
- This requirement introduces potential logistical concerns and additional costs to international contractors, and U.S.-based contractors with international locations and facilities that will need to define a global strategy to tackle their compliance journey.
What can you do?
- Engage with a certified third party, like RSM, with international capabilities to scale and perform certifications domestically and abroad to ensure availability and timeliness of certification. Not sure how to get started? RSM’s integrated CMMC advisory and strategy services team can help you plan and execute your multinational engagement.
5. Role of the affirming official
The affirming official is responsible for ensuring and affirming the contractor’s compliance with CMMC security requirements at multiple phases in the CMMC lifecycle.
Why it matters?
- While the rule does not specifically determine who must be the affirming official, it does clearly assign responsibility, accountability and potential legal liabilities to the affirming official.
What can you do?
- OSCs should begin reviewing responsible and accountable roles for their CMMC journey and designate officials for affirmation statements. Not sure how to get started? RSM provides advice and services to strategically align your organization’s CMMC journey and business to support strategy moving forward.
Related insights
Contact our CMMC professionals
Complete this form and an RSM representative will be in touch shortly.
Cybersecurity Maturity Model Certification advisory services
Supporting government contractors throughout their CMMC compliance journey
