CMMC Program Proposed Rules and Cost Impacts

The Cybersecurity Maturity Model Certification (CMMC) Program’s 2023 update introduces significant changes, affecting contractors and subcontractors involved with the Department of Defense (DoD). These modifications are critical in shaping the landscape of cybersecurity practices within the defense sector. In this blog post, we’ll dive into the new sections of the CMMC Program Proposed Rules, providing a comprehensive summary and highlighting the potential cost impacts on contractors and subcontractors.

The Proposed Rule of the Cybersecurity Maturity Model Certification (CMMC) v2 Program introduces significant changes, particularly affecting contractors and subcontractors in the defense sector. These updates are critical for enhancing cybersecurity measures in alignment with the Department of Defense (DoD) requirements. This blog post delves into the specific new sections introduced in the CMMC Program Proposed Rules and discusses the potential financial impacts these changes may have on contractors and subcontractors.

New Sections

The following are sections that are labeled (NEW) within the proposed rules:

1. Assessment Requirements at Level 1 (NEW): This section mandates annual self-assessment for contractors and subcontractors to ensure they meet the security requirements outlined in FAR clause 52.204–21. The results of these assessments must be recorded in the Supplier Performance Risk System (SPRS), adding an additional layer of accountability and traceability.

2. New CMMC Assessment Scope and Annual Affirmations (NEW):

   • This rule stipulates that any system falling under the new CMMC Assessment Scope cannot process, store, or transmit Controlled Unclassified Information (CUI) until it has been validated through a new CMMC assessment. Furthermore, a senior organization official must annually affirm that the organization complies with the specified CMMC level, emphasizing the importance of continuous compliance.

3. Monitoring Contractor Compliance (NEW):

   • This section places the onus of monitoring compliance with contract terms directly on contractors. It highlights that the DoD will not employ continuous monitoring in place of compliance requirements, making it clear that the responsibility lies with the contractors.

4. Affirmation Requirements at Level 2 (NEW):

   • This new requirement compels senior officials from prime contractors and any applicable subcontractors to affirm annually their organization’s compliance with specified security requirements. This affirmation must be entered electronically into the SPRS.

5. Affirmation Requirements at Level 3 (NEW):

   • Similar to Level 2, this section requires affirmations of compliance post-assessment and annually thereafter. However, it adds that additional security requirements will be prescribed for Level 3 upon the finalization of CMMC.

6. Updates to CMMC Levels 4 and 5 Based on Public Comment (NEW):

   • This section responds to public feedback about the disconnect between NIST SP 800–171B/172 and CMMC 1.0 Levels 4 and 5. It introduces a degree of flexibility in implementation to accommodate various organizational structures and threat models.

7. New Requirements for CMMC Level 3 (NEW):

   • This section introduces additional security protection and assessment requirements derived from NIST SP 800–172. It emphasizes the evolving nature of cybersecurity threats and the need for advanced protective measures.

Cost Impacts to Contractors and Subcontractors

The revised CMMC Program rules will have several financial implications for defense contractors and subcontractors:

1. Enhanced Administrative and Compliance Costs:

   • The additional self-assessment and affirmation requirements across CMMC levels will likely increase the administrative workload. This could lead to higher operational costs, especially for smaller organizations that may lack the necessary resources for regular compliance activities.

2. Need for Advanced Cybersecurity Solutions:

   • Compliance with the updated security requirements, particularly at higher CMMC levels, will necessitate investments in state-of-the-art cybersecurity infrastructure and tools. This could be a significant expenditure, especially for organizations that currently lack advanced cybersecurity measures.

3. Training and Personnel Development Expenses:

   • Ensuring staff are well-versed in the latest cybersecurity practices and compliance requirements may require ongoing training programs. This could result in increased expenditure on training and personnel development.

4. Potential Cost Savings with Flexibility:

   • The flexibility offered in the implementation of Levels 4 and 5 may allow organizations to adopt cost-effective cybersecurity measures that are tailored to their specific needs and threat environments.

5. Unforeseen Reassessment Costs:

   • Changes in the CMMC Assessment Scope could necessitate new assessments, leading to unexpected financial burdens, especially for organizations that undergo frequent infrastructure changes or expansions.

Conclusion

The Proposed Rule to the CMMC V2 Program Proposed Rules represent a significant stride in advancing cybersecurity standards within the defense sector. While these changes aim to fortify cybersecurity defenses, they also bring forth new financial challenges for contractors and subcontractors. Organizations must navigate these changes carefully, balancing the costs of compliance with the necessity of robust cybersecurity practices. This balance is essential for safeguarding sensitive information against evolving cyber threats while maintaining fiscal sustainability.