DoD CMMC Proposed Rule Released

Jan 15, 2024 | CMMC, CMMC 2.0, Defense Industrial Base, DOD

If you are in the Defense Industrial Base (DIB), you have most likely been waiting with bated breath on the arrival of the new CMMC rules. No doubt you are also aware by this point that they were released on December 26, 2023. There is a lot to unpack in the 81-page rule, but if you were expecting big bold requirement shifts or significant answers to many of your burning CMMC questions, you may be disappointed.

Instead, this release essentially endorsed the CMMC 2.0 model. Some of the big-ticket items identified in the release include:

  • NIST SP 800-171r2 will serve as the underlying framework. Even though there is a version 3 on the horizon, for now 800-171r2 is the underlying framework. This has been the standard framework since DoD started requiring government contractors to protect CUI.
  • Companies requiring CMMC Level 1 will be required to submit an entry into the DoD Supplier Performance Risk System (SPRS). All 17 NIST SP 800-171 L1 controls (including the corresponding NIST SP 800-171A Assessment Objectives) must be met, and no POAM items are allowed.
  • A senior official must reaffirm/attest to compliance with the CMMC requirements annually.
  • Cloud Service Providers (CSPs) will need to meet the requirement of FedRAMP accreditation or FedRAMP equivalency. While an organization can be a formally authorized CSP, it is a huge money investment, so there is an option to demonstrate FedRAMP equivalency. However, for now, there is no real guidance on how to determine equivalency.
  • Managed Service Providers and Managed Security Service Providers will need to be included in the assessments, but there is no clear guidance on how this will be implemented.

One of the big items of note in this release was the DoD’s attempt to quantify the cost of CMMC accreditation.

  • Small entities CMMC L2 Accreditation –> over $100,000 for the initial accreditation year.
  • Small entities CMMC L2 Self-Assessment –> over $32,000 for the initial L2 Self-Assessment and attestation.

Those numbers represent just the assessment costs and are not inclusive of the technical and administrative costs associated with the controls put in place to become compliant. But, as noted in the DoD release, DIB companies under contract should have already made the investment to meet the 110 controls of NIST SP 800-171.

At this point, rather than getting into the weeds of the requirements, it might be prudent to take a step back and look at your company’s business case for remaining in the DIB. It should be noted that this whole endeavor is a necessity, as critical DIB information must be protected. And if you aren’t prepared to invest in the company to protect DIB information and you choose to get out, that is understandable.

But if you choose to stay in the game, now is the time to get moving on your CMMC compliance journey, wherever you might be on the path.  Our Cybersecurity Assessor and Instructor Certification Organization (CAICO)-certified staff can help you every step of the way. Take the first step toward simpler, easier cybersecurity compliance, and schedule a call with a Duffy Compliance expert today.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.