32CFR CMMC 2.0 Released

Document Written on Saturday October 13, 2024, by Humberto Correa, CEO and Founder, RPO, RP, MSP, MSSP of Brea Networks, LLC.   This document provides an overview of the major highlights and changes in the 32 CFR release from October 11, 2024, which is projected to take effect on December 16, 2024. We have outlined and emphasized what we consider to be the most significant changes impacting the industry, offering insights into how these adjustments may affect key stakeholders.

Here’s a quick summary checklist of what’s new in the final 32 CFR rule, based on the detailed document analysis:

1. CMMC Levels Updated:
2. • Level 1 is for basic cybersecurity, while Levels 2 has been broken down into Self vs C3PAO and Level 3 incorporate more stringent security requirements drawn from NIST SP 800-171 R2 and NIST SP 800-172 (24 extra controls).

1. Self-Assessment for Level 2:
2. • If your contracts, work order’s language call out Level 2 (Self) then you can do Self-Assessment
   • Self-assessments are allowed for Level 2, but organizations must upload their scores to the Supplier Performance Risk System (SPRS) and submit an annual affirmation of compliance.
   • Conditional Level 2 (Self) certification can be achieved with at least 80% compliance, provided deficiencies are resolved through a Plan of Action and Milestones (POA&M) within 180 days.
   • DIBCAC can still audit you on days’ notice.

1. C3PAO Third-Party Assessments for Higher Levels:
2. • Level 2 (C3PAO) and Level 3 assessments require Certified Third-Party Assessment Organizations (C3PAOs) for critical or sensitive CUI environments.

1. FedRAMP Requirements for CSPs:
2. • Cloud Service Providers (CSPs) that process, store, or transmit CUI must be FedRAMP Moderate Authorized or meet equivalent security standards.
   • CSPs not handling CUI are still part of the organization’s overall System Security Plan (SSP) and Customer Responsibility Matrix (CRM).

1. Security Protection Assets (SPA):
2. • Assets that provide security functions (SPAs) must be fully documented in the SSP and assessed, even if they do not directly handle CUI.
   • Security Protection Data (SPD) is not inherently considered CUI but must be assessed if it protects CUI.
   • SPD can survive on non FedRAMP solutions like DUO Commercial, Firewall, IPS, and SIEM as long as it’s not processing CUI.  If a CSP processes SPD without CUI, the CSP’s services are assessed as Security Protection Assets under CMMC but do not require FedRAMP equivalency

1. POA&M Usage:
2. • POA&Ms are used to temporarily address unmet CMMC security requirements. For Level 2 and 3, POA&Ms must be closed within 180 days.
   • Some requirements, particularly in Level 3, do not allow for POA&M use and must be fully met at the time of assessment.

1. Subcontractor Compliance:
2. • Prime contractors are responsible for ensuring subcontractor compliance with the applicable CMMC levels. Requirements must flow down to all subcontractors, based on the sensitivity of the information they handle.

1. Affirmation Requirements:
2. • Annual affirmations of compliance are required in the SPRS system for all contractors, including after self-assessments and third-party assessments.

DFARS Clauses for CMMC Level Compliance:

1. DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting:
2. • This clause applies across all CMMC Levels and mandates that contractors implement the security requirements from NIST SP 800-171 R2 to protect Controlled Unclassified Information (CUI) on non-federal information systems.
   • It also requires contractors to report cyber incidents to the Department of Defense (DoD) and to flow down these requirements to subcontractors that will handle covered defense information.

1. DFARS Clause 252.204-7019 – Notice of NIST SP 800-171 DoD Assessment Requirements:
2. • This clause requires contractors to complete and submit a basic, medium, or high NIST SP 800-171 DoD assessment prior to contract award.
   • The results must be uploaded to the Supplier Performance Risk System (SPRS). This clause aligns with CMMC Level 2, ensuring basic NIST compliance.

1. DFARS Clause 252.204-7020 – NIST SP 800-171 DoD Assessment Requirements:
2. • This clause informs contractors that DoD may conduct a higher-level review of their NIST SP 800-171 compliance, such as during a third-party CMMC assessment.
   • Contractors must also ensure their subcontractors have SPRS scores on file, confirming their own compliance with NIST SP 800-171.

1. DFARS Clause 252.204-7021 – Cybersecurity Maturity Model Certification (CMMC)
2. • This clause explicitly addresses the CMMC framework and mandates contractors to meet the specified CMMC Level (1, 2, or 3) based on the solicitation or contract.
   • Contractors must flow down this requirement to all subcontractors who process, store, or transmit CUI or Federal Contract Information (FCI).

CMMC Levels and DFARS Requirements:

• Level 1: This level requires basic safeguarding as per FAR Clause 52.204-21, which covers fundamental protections for Federal Contract Information (FCI). No additional DFARS clauses are required beyond the basics of safeguarding.
• Level 2: Contractors at this level must comply with the 110 security requirements of NIST SP 800-171 R2. DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021 are applicable to Level 2 compliance, which is focused on protecting CUI.
• Level 3: In addition to NIST SP 800-171 R2, Level 3 incorporates specific requirements from NIST SP 800-172 to address Advanced Persistent Threats (APT). DFARS Clause 252.204-7021 governs this level, which is the most stringent, requiring DoD-conducted assessments (via DCMA DIBCAC).

These DFARS clauses provide the foundational framework for safeguarding both FCI and CUI under the CMMC program, ensuring compliance at all tiers of defense contracting.

POA&Ms

• POA&Ms are not permitted at Level 1. For Level 2, POA&Ms are allowed, but under strict conditions.
• Time Restrictions: POA&M items must be resolved within 180 days of receiving a “Conditional CMMC Status.” This means that contractors must meet 80% of the NIST SP 800-171 requirements upfront and place the remaining unmet requirements into a POA&M.
• Validation: After the 180-day period, the POA&M items are subject to a closeout assessment to verify compliance. If any of the unresolved requirements remain unmet after this period, the conditional certification will expire, and contractors will face potential contractual remedies.
• Points Limitation: Each POA&M item is limited to a point value of no more than 1 (with certain exceptions), reinforcing the need for timely and effective mitigation.

This rule enforces a stricter framework for ensuring cybersecurity readiness, with a clear focus on time-bound remediation and strict compliance for contractors working with the Department of Defense.

CMMC Level 2 Self-Assessment

The final 32 CFR rule permits self-assessments for companies pursuing CMMC Level 2 certification, but it is important to recognize that self-assessment is only suitable for organizations with dedicated resources in their IT department capable of managing the entire scope of compliance.

Self-assessment should be reserved for companies that not only have a functional IT department but also have specialized divisions including an IT Security Department and an IT Compliance Department.

These divisions are necessary to handle the management, maintenance, and monitoring of the compliance controls required by NIST SP 800-171. Companies without these specialized resources are likely to struggle with meeting the ongoing compliance requirements. A mature IT department with dedicated teams for security and compliance ensures the organization can properly address the complexities of cybersecurity compliance, such as managing security controls, performing annual affirmations, and ensuring continuous monitoring and compliance over time.

The specification of whether you need Level 2 (Self) or Level 2 (C3PAO) will be determined by the prime contractor or the DoD and will be outlined in your contracts, solicitations, or agreements. Here’s how it will work:

1. Prime Contractor Responsibility: The prime contractor is responsible for flowing down the appropriate CMMC requirements to subcontractors. If the prime contractor’s contract with the DoD specifies handling Controlled Unclassified Information (CUI) that requires a Level 2 (C3PAO) assessment, they will need to ensure their subcontractors meet this level.

1. Contractual Specification: Whether your organization can use Level 2 (Self) or must undergo a Level 2 (C3PAO) assessment will be clearly specified in the contract or solicitation requirements. This decision is based on the sensitivity of the information you are handling (i.e., whether it involves higher-risk CUI or a more critical security environment).

1. Level 2 (Self) vs. Level 2 (C3PAO):
2. • If the contract allows Level 2 (Self), your organization will be permitted to perform an internal self-assessment and submit the results through SPRS.
   • If the contract requires Level 2 (C3PAO), you must undergo an assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) to meet compliance.

In summary, the prime contractor (or directly through a DoD contract) will specify whether Level 2 (Self) or Level 2 (C3PAO) is required based on the specific requirements of the project and the sensitivity of the information being handled. Make sure to carefully review the contracts or solicitations you receive for this information.

Cloud Service Providers (CSPs)

The final 32 CFR rule discusses the use of Cloud Service Providers (CSPs) in relation to CMMC requirements, particularly for handling Controlled Unclassified Information (CUI). Here’s a summary of the main points:

1. CSP Definition: A CSP is defined as an External Service Provider (ESP) that provides cloud services, enabling on-demand network access to shared computing resources such as storage and applications, as per NIST SP 800-145.
2. CSPs Handling CUI: When a CSP is used to process, store, or transmit CUI, the CSP must comply with FedRAMP Moderate Baseline or equivalent security requirements in accordance with DFARS clause 252.204-7012.
3. CSPs Not Handling CUI: If a CSP does not process, store, or transmit CUI, it is not required to meet FedRAMP requirements. However, its services must still be documented within the OSA’s (Organization Seeking Assessment) System Security Plan (SSP) and Customer Responsibility Matrix (CRM).
4. CSPs in CMMC Scope: Any CSP services used to support the OSA’s compliance requirements are within the scope of the CMMC assessment. This means that even if the CSP is not directly handling CUI, its role in the service infrastructure supporting CUI could still make it part of the OSA’s overall compliance assessment.
5. Documentation and Responsibilities: The relationship between the OSA and CSP must be clearly documented in the SSP and the CRM to clarify which security responsibilities are handled by the CSP versus the OSA.
6. Voluntary Assessment: CSPs that do not meet the formal FedRAMP requirements but still want to demonstrate compliance may voluntarily undergo a C3PAO assessment, which can serve as a business differentiator.

In summary, CSPs that process CUI must meet stringent FedRAMP requirements, while those that do not handle CUI are still part of the OSA’s compliance structure and may need to be documented, assessed, or voluntarily certified depending on their role in the organization’s operations.

In the context of the final 32 CFR rule, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) can fall under the category of External Service Providers (ESPs) rather than Cloud Service Providers (CSPs), depending on the nature of the services they provide.

Here’s how they fit into these categories:

MSPs/MSSPs as External Service Providers (ESPs):

• MSPs and MSSPs typically provide IT management, monitoring, security, and support services, often as outsourced partners. They manage various aspects of an organization’s IT infrastructure and security, which can include handling sensitive information or assisting with cybersecurity measures.
• When these providers are involved in processing, storing, or transmitting Controlled Unclassified Information (CUI) on behalf of an organization, they are considered External Service Providers (ESPs) under the rule.
• ESPs must meet the applicable cybersecurity controls outlined in the NIST SP 800-171 and the DFARS 252.204-7012 clause, ensuring they provide adequate protection of CUI.

CSP vs. ESP:

• CSPs, on the other hand, are specifically defined as cloud-based service providers offering infrastructure, platforms, or software as a service (e.g., AWS, Azure, Google Cloud). CSPs that handle CUI must comply with FedRAMP Moderate or equivalent security requirements.
• MSPs/MSSPs may use CSPs as part of their infrastructure, but their role typically extends beyond providing cloud services alone. MSPs/MSSPs are responsible for managing and securing IT systems or networks rather than solely delivering cloud-based services.

Conclusion:

• MSPs and MSSPs are more aligned with the ESP category rather than CSP, given that they often manage IT services and security infrastructure rather than solely providing cloud computing resources.
• If MSPs/MSSPs process, store, or transmit CUI, they must adhere to the same security standards required of ESPs, specifically ensuring compliance with NIST SP 800-171 or the applicable CMMC Level.

If an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) does not process, store, or transmit Controlled Unclassified Information (CUI) on behalf of its clients, it is not required to achieve CMMC Level 2 certification. CMMC Level 2 is specifically designed to safeguard CUI, so organizations and service providers that do not handle CUI would not be subject to these higher-level security requirements.

Key Points:

• CMMC Level 2 applies to organizations (including contractors, subcontractors, and service providers like MSPs) that process, store, or transmit CUI.
• If the MSP/MSSP is providing general IT services without handling CUI, they would not need CMMC Level 2 certification.
• However, if the MSP indirectly supports systems that handle CUI, even though they do not manage CUI directly, their services could still be considered as part of the CMMC compliance assessment of the organization that handles the CUI.

Considerations:

• Even if the MSP does not handle CUI, they should still be aware of their client’s compliance needs. If the client must meet CMMC Level 2 or higher, the MSP’s role could impact the client’s overall compliance posture.
• If an MSP or MSSP works with organizations that require CMMC compliance, offering services that are aligned with security best practices (or obtaining CMMC certification voluntarily) could serve as a competitive advantage.

In summary, MSPs/MSSPs that do not handle CUI do not need CMMC Level 2 certification, but they must remain aware of their clients’ requirements and how their services might fit into a broader compliance framework.

If 32 CFR part 170 goes live on December 16, 2024, then the complementary 48 CFR part 204 CMMC Acquisition final rule will trigger the phased implementation plan. Based on the typical alignment of these rules, here is when you can expect the phases to begin:

1. Phase 1:
   • Begins on the effective date of 48 CFR part 204, which will most likely be around December 16, 2024 (if both rules go live at the same time). This phase will introduce CMMC Level 1 (Self) and CMMC Level 2 (Self) requirements for DoD contracts.
2. Phase 2:
   • Starts one calendar year after Phase 1, so December 16, 2025. In this phase, more contracts will require CMMC Level 2 (C3PAO) certifications for contractors handling more sensitive data.
3. Phase 3:
   • Begins one year after Phase 2, which would be December 16, 2026. This phase will further expand CMMC Level 2 (C3PAO) requirements and introduce more contracts needing CMMC Level 3 (DIBCAC) certifications.
4. Phase 4 (Full Implementation):
   • Starts one year after Phase 3, on December 16, 2027, when CMMC Level 2 (Self) and CMMC Level 2 (C3PAO) will be required for all applicable DoD contracts.

About Brea Networks:

Brea Networks is a highly professional and trusted Registered Provider Organization (RPO), offering comprehensive services as a CMMC Consulting Firm, Managed Service Provider (MSP), and Managed Security Service Provider (MSSP). As a Microsoft Government Partner and CMMC Level 2-3 ready organization, Brea Networks is also ITAR compliant, making it an ideal partner for Department of Defense contractors and other organizations seeking compliance. With nationwide coverage, the firm delivers tailored security and compliance solutions to organizations across the United States, ensuring they meet the highest industry standards.

https://www.cmmcompliance.us

Brea Networks

Author:  Humberto Correa / [email protected] 714-592-0063 Ext 100