CMMC: what's new in September 2024

Every month, CyberAB, the organization that coordinates CMMC, organizes a meeting to share information on what's new at CMMC.

Here's a summary of CyberAB's monthly meeting - September 2024.

CMMC passes regulatory examination

On September 13, 2024, the CMMC Final Rule (32 CFR) passed regulatory review. For details, please consult this link.

Consequences

CMMC could be official before the end of 2024
As soon as CMMC is official, its requirements will be included in DoD tenders. From then on, CMMC will become binding.

Projected timetable for CMMC implementation

However, given the acceleration we are seeing, CMMC could be implemented in December 2024.

You won't get your CMMC certification if your external service provider (IT/Cybersecurity) isn't CMMC certified.

A DoD contractor or subcontractor will not be able to obtain CMMC certification if it uses an ESP (MSSP, IT compant, etc.) that does not have at least the same level of CMMC certification as it does.
For example, if you require CMMC Level 2 certification, your external service provider must also be CMMC Level 2 certified.
DoD contractors and subcontractors must inform their external service providers that DoD requires them to obtain the same level of certification as they do.

You cannot obtain CMMC certification if you use a Cloud that is not FedRAMP.

CMMC requires that CUI be stored only in FedRAMP Moderate or High Clouds.
Storing your CUIs in a non-FedRAMP Cloud is non-compliant and will prevent you from getting your CMMC certification.

Microsoft 365 Commercial is no longer FedRAMP and CMMC compliant

Microsoft 365 Commercial is no longer recognized as FedRAMP “equivalent”.
Our recommendation is to use Microsoft 365 GCC HIGH (which is CMMC and ITAR compliant).

Got a CMMC question? We've got the solution.

StreamScan is a CMMC Registered Provider Organization (RPO) and is officially authorized to support organizations in their CMMC process.