On 22 Dec (pre-release) or 26 Dec (official inclusion in the Federal Register) the DoD and OMB released the new Title 32CFR170 CMMC Rule. There are 234 pages in the main document alone, with more than 200 hundred pages in supporting documentation.
What does this mean for companies that do business with the DoD?
The most important change to the existing CMMC draft rule is that when the final rule drops (sometime in early 2025) the requirements around contractors self-attesting to compliance will change. Drastically. Instantly.
Today, we all have to have a score in the Supplier Performance Risk System (SPRS). Nobody cares what that score is. You just need to have one and a date when you expect to be fully implemented. Nobody is paying attention to that date. All good. No worries.
But now it will be different….
Next year, your score will matter. A “Senior Company Official” will be required to submit an affirmation —in other words, a legal oath— that your company possesses an SPRS score of 88 (80% implemented) or higher. There are also a large number of “no-fail” controls that must be in place; if one of them has not been met, your company cannot attest to compliance (or be eligible for contracts).
You will have to use CMMC scoping to determine your score (which has changed, and now has to include your outsourced IT and security stuff and people… all of them). Let's say you currently have a score of zero. Not a bad score, really based on what is common in the DIB, given the odd scoring matrix where the lowest possible score is -203, zero is 65% implemented. If you are being strict, as the DoD has told the C3PAOs to be, then that is moving along. Not great, but a lot of companies are really in the ~-150 range and have no program.
The day after the rule goes final you will be ineligible for a contract award unless someone in your company is willing to submit an "affirmation" that you possess a score of at least an 88. The DoD has estimated the final rule could go into effect as early as the end of the year, but we don’t think they won't make that. Most likely, the rule will drop sometime in 2025 (we have heard a rumor the DoD is aiming for March 2025). This means that DIB contractors have roughly one year to become 80% compliant with CMMC requirements, a process that takes anywhere between 18 months and two years, depending on factors like company size.
On the affirmations, as one legal blog put it, "These affirmations may be considered express representations for False Claims Act purposes and thus should be taken very seriously." That translates as the person affirming will be potentially criminally liable if it is found later that this affirmation is not true; third-party assessors will be required to report the results of their assessments to the DoD pass or fail.
So we have been talking about CMMC for a while, and the business folks have often said, "call me when there is really something to this." I would submit that day is today.
Who is going to sign the affirmation? That you are 88 or better? An affirmation that holds potential, personal, criminal liability?
Roll forward 6 months from the rule release and your affirmation will need to be 110/110: in other words, perfect implementation. For all in-scope systems. Who will be signing that one? For the compliance managers out there I urge you to early and often say, "Not me! I am not senior enough!"
Someday, most companies (in my view, and as estimated by the DoD) will need a Level 2 third-party CMMC certification. So the homework associated with your affirmation will certainly be checked eventually. If you get less than 100% on your homework… there is at least the potential of False Claims Act criminal liability. The C3PAO must report to the DoD the results of the assessment — pass or fail. If you fail, what will the DoD do with that information? What if you get hacked and the DoD comes in? There is some potential for criminal liability if any of the no-fail controls are found lacking. The Solar Winds CEO, CFO, and CISO have been personally and criminally indicted now, so a personal indictment is not fantasy island stuff at all.
The DoD has laid their cards on the table. I have a lot of problems with the rule, and already have 48 pages of comments I intend to submit, but…
For every business leader out there, now is the time to get serious about your cyber program and start really moving out to get compliant. If you don't, there is enormous risk to you when faced with, "Put in an 88 or lose the contract?" sometime next year.
For the Bigs who might read this, please don't sleep well knowing you have a great program and you have passed many certifications. “Not to worry. It will work out.”
Do worry. CMMC is different. CMMC is demanding not just paperwork that you are doing something, but a body of evidence that proves you are executing what your paperwork says on a recurring basis. If your team has federal experience think of it as passing an Authority To Operate (ATO) assessment with no POAMs, no Not Applicable, no Alternative and Mitigating, and not control tailoring. No other certification program I know is "no fail." You cannot miss any single control, any single assessment objective, for any reason, if you want to be certified. The "we allow POAMs" is severally restricted and limited. They do allow them, but for only ⅓ of the controls (so ⅔ are auto-fail) and you must still show 100% at the end of six months.
And if you have had a DIBCAC High? Nice. But they are not following the CMMC rules.
This is really really hard because NIST has written a pretty stiff control set, and DoD is planning to enforce every word, and has significantly expanded the systems those controls apply too. So even if you have a good program, take a round turn.
The DoD has raised the stakes.