CMMC now official as of October 15, 2024

The CMMC regulations have been passed by the US Congress and are now official as of October 15, 2024. As of this date, the CMMC will go into effect in 60 days, on December 14 or 15, 2024.

The CMMC Final Rule, also known as 32 CFR, is 426 pages long. We have analyzed it. Here's what you need to know:

CMMC and contracts

CMMC will not be required when you submit your bid to a call for tenders, but when you are awarded a contract.

Conditional CMMC certification

You can obtain conditional CMMC certification if you comply with 80% of CMMC controls (all CMMC controls with a score of 5 must be complied with within 80%).
Conditional CMMC certification requires you to have an action plan with milestones (POAM) to correct deviations within a maximum of 18 months. On expiry, if all deviations have not been corrected, your conditional certification expires.

Obligation to maintain your CMMC certification

DoD requires that your CMMC certification remain valid at all times, without exception, for the duration of the contract.

Notification of CMMC changes

During the term of the contract, you are required to report any changes in your infrastructure that may result in CMMC non-compliance.

Retention period for CMMC audit evidences

Evidence of your CMMC certification audits must be retained for at least 6 years, in accordance with the mandatory requirements of the U.S. Department of Justice.

Exclusion from CMMC scope

All IoT, IoT and IIoT equipment is excluded from the CMMC scope and classified as specialized assets.

Cloud service providers (CSP)

If you decide to store CUI in the Cloud, make sure your Cloud provider is FedRAMP Moderate authorized or equivalent.

CMMC certification is not mandatory for external service providers (ESP)

DoD has made CMMC certification optional for External Service Providers (ESP).

If you choose an ESP that is not CMMC-certified, here's what to consider :

Increased scope of your CMMC audit: Your ESP's environment will be included in your own CMMC audit, increasing its scope and complexity.
Additional costs: You will have to cover the costs of auditing the environment of your supporting ESP. This environment must meet the requirements of NIST 800-171. This will be verified during your CMMC audit.
Continous validation: You will be responsible for ensuring that your ESP remains continuously compliant with NIST 800-171.
Legal risk : Make sure your ESP complies with NIST 800-171 requirements at all times, to avoid any legal risk. In fact, when you have CMMC certification, every year a member of your senior management must confirm that you are still CMMC-compliant. This affirmation has a legal value, and it would be wise to carry out an annual validation of your ESP's compliance, before the annual self-affirmation.
Risk of non-certification: If your ESP environment is not compliant with NIST 800-171, this could compromise your ability to obtain your own CMMC certification.

If your External Service Provider (ESP) is CMMC-certified

By choosing a CMMC-certified supplier, you avoid a number of complications. For example, their supporting environment will not be audited as part of your CMMC certification, reducing cost, effort and time while ensuring ongoing, streamlined compliance.
A certified ESP is legally responsible for his part. It must make its own annual self-affirmation, which releases you from any liability.

Flow down

Your subcontractors with whom you share CUI must have the same level of CMMC certification as you do.
It is your responsibility to ensure that your subcontractors have the required CMMC certification, before sharing CUI with them.

CMMC vs NIST 800-171

The core of CMMC will remain NIST-800-171 Rev 2. Forget Rev3 for now.

How can Streamscan help?

StreamScan is a CMMC Registered Provider Organization (RPO) and is officially authorized to support organizations in their CMMC process.

We have chosen to pursue CMMC Level 2 certification in order to offer unique added value to our customers.