Tom Temin: Well, there are two rules coming to implement CMMC, fair to say. Tell us what’s the status of the first one? It became effective in the middle of December. And what does that rule by itself do?

Michael Greenman: Yeah, it really kind of opens the floodgates to the CMMC Level 2 certification audits. Back in the beginning of CMMC 1.0, as it’s known, that version of CMMC really only focused on the rule enforcement. And now this time around in CMMC 2.0, this program rule, the 32 CFR rule that just became published official final on Dec. 16 actually creates the program requirements. Talks about the details of the certifications that happen. And so the significance of this date and the significance of this rule coming official is that defense contractors can now actually go out and seek a CMMC Level 2 certification, even before it’s required.

        Join us Jan. 27 for our Industry Exchange Cyber 2025 event where industry leaders will share the latest cybersecurity strategies and technologies.

Tom Temin: And Level 2 relative to Level 1 is.

Michael Greenman: Different. So CMMC in the second version, or CMMC 2.0 as it’s known, has three levels of certification. Level 1 is going to be a self-attestation, self-affirmation of what’s considered kind of basic cyber hygiene in alignment with existing federal regulations. The FAR 52.204-21 rule, which talks about basic safeguarding of sensitive information of federal contract information. CMMC Level 2 is kind of the big splash, the new thing, which in the case of defense contractors that are storing, processing, handling, transmitting controlled unclassified information, they will need this Level 2 certification from an independent certified third party assessment organization.

Tom Temin: Right. And what’s your sense of the development of that ecosystem of the assessors?

Michael Greenman: Yeah, it’s a hot topic amongst the community because there is an independent nongovernment organization known as the Cyber AB. If you want to check them out, it’s cyberab.org. That is charged specifically as a contractor of DoD to certify, to educate, to qualify those independent third party assessment organizations. And prior to the rule drop in month of December, there was roughly high 50s, 60 of those organizations that are certifying. And then within the organizations, there are individual assessors that get certified as well. So it’s a very complex system. But paired up with the number of DoD contractors that will eventually need certifications, there’s a bit of an inverse right now, and that’s where the kind of topic of discussion is going on.

Tom Temin: And then we mentioned too at the top, there’s a second rule, which is behind the first rule, not quite out of the chute. What would that rule do and what’s its status?

Michael Greenman: Yeah, you can see some logic behind what DoD was trying to do, set the program up, right. Talk about the rules. Talk about expectations of the assessments and the certifications, rules of the game. And then the second part, which is known as the 48 CFR Code of Federal Regulations rule, also known as the enforcement rule. That will actually enable and put teeth behind the requirements of the CMMC provision in federal contracts. So what that converts into is federal contractors will be aware that within their contracts, in addition to FAR clauses and that stands for the Federal Acquisition Regulations. There’s what I call DFARS, Defense Federal Acquisition Regulation Supplement. And so what the 48 CFR CMMC enforcement rule does is enables the DFARS 252.204-7021 clause to be not only in contracts but enforceable by the provisions and the details within that rule which are not final yet.

Tom Temin: You sound like you could recite the offered here in Greek. We’re speaking with Michael Greenman. He’s a cybersecurity researcher at Deltek. And will there be, do you think, a single standardized type of clause that will come out of this that can be in all the contracts, or will you find every component, every armed service, every unit having its own tailored clause to carry out CFR 48?

Michael Greenman: That’s a great question. I don’t have a crystal ball on that per se. I, like a lot of other people, have ramped up on my federal rule making chops. There are experts out in the field that probably can go much deeper. But from what I’ve heard from industry, it is, at least on the defense side of things, meant to be somewhat universal. So I would assume based on, again, what I’m hearing from industry, that it should be pretty universal across the Armed Services. But who knows, there could be differences. The more interesting question to follow up on that is what is the wider federal government going to do once defense has rolled out CMMC? There’s speculation and proof that there will be a similar type of program for all federal contractors.

        Read more: Cybersecurity

Tom Temin: And that we can expect from an adaptation by the General Services Administration?

Michael Greenman: Again, not totally versed on the details of how it would work, but what’s known as the FAR CUI rule has made its way through the federal rule making process and cleared the OMB’s final destination for rules, the OIRA department and expecting any time for this FAR CUI rule to come out as well which is widely anticipated to be very similar to the DFARS 7012 laws, which was the origin of protection of controlled unclassified information for defense contractors. So that but for all federal contractors.

Tom Temin: And when you peel this all away at some point, there is a set of conditions and circumstances and settings that you should have in your information systems and they’re outlined by NIST. I mean, they’re pretty well known. So contractors’ best, I guess, defense against trouble down the line is simply put those controls in place and then the rest should be followed fairly routinely, I would think.

Michael Greenman: Absolutely. But with any business, what typically happens is you do things as a business to make money and cut costs and try to be as efficient as possible. And that’s what the industry found. Once this DFARS 7012 clause was originally put out in late 2016, 2017, that a lot of defense contractors weren’t aware, didn’t fully implement, weren’t fully following the rules. And so the purpose and the reason behind CMMC was to provide independent audit, independent verification, validation of the implementation of the DFARS 7012 rule to protect controlled unclassified information. And yes, it’s based off of the NIST 800-171 standard. So if you’re a federal contractor and not familiar with that cybersecurity control framework from NIST, better get to work.

Tom Temin: And by the way, what is the time frame expected for that second rule that maybe it’s cleared the White House rule making oversight group? Then what?

Michael Greenman: Yeah. So kind of waiting to see here. The industry expectation is obviously sometime in 2025. I’ve heard estimates as early as first quarter of 2025, but perhaps by mid-2025, thinking summer of 2025 for that final rule to drop. And what that will start is what DoD has coined a phased rollout of CMMC, starting with contractual requirements for self-assessments that with that Level 1 CMMC assessment, maybe some Level 2 self-assessments. There’s a part that allows for that, but it’s expected to be pretty small. But the big part of CMMC Level 2, the certified independent third party auditor certifications, once the phased rollout starts, meaning when that 48 CFR rule is final, one year after that happens, that’s when you can expect to see those Level 2 certifications that require that third party audit to come in to new contracts.

Tom Temin: Well, don’t say we didn’t warn you.

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app