CMMC 32 CFR: What’s in the final rule?
On October 15, 2024, the Department of Defense (DoD) published the final 32 CFR rule for CMMC 2.0 in the federal register. The long-awaited rule outlines the requirements for defense contractors and subcontractors, defines the levels and assessment types, outlines responsibilities for CMMC third-party assessment organizations (C3PAOs), and sets the implementation timeline.
Now that the CMMC program rule is finalized, here are the key takeaways you need to know.
Notable updates on CMMC final rule
Draft versions of the CMMC rule have circulated for months, providing strong indicators of the direction of the program. But, as expected, there are a few notable changes and updates in the final rule.
Program timeline
The effective date for CMMC is December 16, 2024. This is the date when the CMMC program will be live and operating. It is also the date when C3PAOs can begin security assessments for organizations seeking Level 2 certification.
Organizations are still waiting for an additional rule, the 48 CFR rule, to be published, which will add CMMC certification as requirement in DoD contracts. That rule is expected to be published in Q2 2025.
Organizations that get certified ahead of upcoming contractual requirements will be set to meet those requirements without delay. This is one of the many reasons we encourage organizations to get in the queue for certification as soon as possible.
External service provider applicability
The biggest difference between the proposed and final rule has to do with external service provider (ESP) certification. In earlier versions of the proposed rule, ESPs, such as managed service providers (MSPs) were required to obtain CMMC certification. Under the final rule, it is not required for ESPs to obtain their own certification.
However, it is still highly encouraged that ESPs should pursue CMMC certification. If ESPs decide to not pursue CMMC certification, then their assets will be in scope of their client’s assessments by a C3PAO. This means that ESPs could negatively impact their clients’ timelines by adding additional hurdles to review assets. Therefore, it is highly encouraged that ESPs get CMMC certified in order to streamline the process – which many of them were planning to do before the final rule was published.
Assessment staffing
The final rule includes an important update on staffing. The CyberAB, the accreditation body behind CMMC certification, has a program for training and certifying the individuals conducting CMMC assessments. There are two levels, certified CMMC professional (CCP) and certified CMMC assessor (CCA).
The CMMC final rule outlines that three CCAs must be involved in each assessment. Two CCAs will be required on the assessment team and one CCA will be a part of QA review.
This mandate for trained and certified professionals to conduct CMMC assessments will help to set a standard for excellence. However, it may create challenges for smaller C3PAOs with limited staff resources, resulting in longer wait times for assessments.
Requirements for CMMC level 2 compliance
The majority of organizations affected by CMMC will fall into level 2. The final rule defines the requirements for level 2:
- If you store, transmit, or process Controlled Unclassified Information (CUI), then you will need to obtain Level 2 Certification via assessment from a C3PAO
- Organizations Seeking Certification (OSCs) will need to implement the 110 practices outlined in NIST 800-171 and meet all 320 practice objectives
- While the DoD contract requirement rollout will begin likely in 2026, it is possible for primes to begin placing CMMC requirements to their subs before then
Get started with CMMC now
If you haven’t gotten started on your plan for CMMC compliance, now is the time to start. Once CMMC requirements show up in DoD contracts, if you are not CMMC certified, you risk being left out of the defense contractor ecosystem.
A-LIGN is a globally recognized cybersecurity and privacy compliance provider that offers a single-provider approach for organizations. With more than 1,000 federal assessments completed, A-LIGN is an accredited C3PAO and FedRAMP 3PAO with extensive experience across NIST frameworks.
Contact us today to secure your spot in line.