The Cybersecurity Maturity Model Certification final rule is out. Now what?

5 key requirements to monitor on your CMMC compliance journey

December 04, 2024

Key takeaways

The DoD’s Cybersecurity Maturity Model Certification final rule was released on Oct. 15, 2024.

CMMC cybersecurity requirements are complex, and defense contractors should start preparing now.

Companies must monitor several requirements to meet the new cybersecurity standards.

#
Risk consulting Cybersecurity consulting Cybersecurity Government contracting

The Department of Defense (DoD) released a new Cybersecurity Maturity Model Certification (CMMC) final rule on Oct. 15, 2024, outlining a framework to strengthen cybersecurity requirements for defense contractors. The final rule is complex, and defense contractors should start preparing now to understand and adapt to new requirements.

Here are five key requirements to monitor now that the rule has been released:

1. Phased implementation

The CMMC final rule goes into effect December 2024. Organizations seeking certifications (OSCs), assessors and members of the defense industrial base (DIB) are expected to adhere to final requirements through a four-phased implementation rollout.

Why it matters?

  • Implementation, certification and enforcement requirements in the rule will be in effect as of December 2024. The final rule extends the duration of Phase 1 from six months to one year to allow the DIB time to ramp up and implement the rule’s final requirements. Successive phases two, three and four commence annually thereafter.
  • This will create challenges for OSCs and cybersecurity personnel in the ecosystem that are not fully aware of or prepared for certifications, creating resource constraints, increased workload and pressures from the market for quick implementation.

What can you do?

  • If you have already completed a readiness or gap assessment, review your gap listing or plan of action and milestones (POA&M) to ensure timely remediation. Consider assistance from a qualified CMMC third-party assessor organization (C3PAO) resource, like RSM, to help expedite identification and remediation of potential gaps or provide a qualified external assessment.

2. External services provider certification requirements

External service providers (ESPs) that do not process, store or transmit controlled unclassified information (CUI) are exempt from CMMC certification.

Why it matters?

  • An ESP may not be as mature in the certification journey as an OSC. This distinction allows some ESPs to continue operating without certification, reducing compliance burdens based on the nature of their services.

What can you do?

  • Validate the services of ESPs within your boundary and enhance or enforce logical and physical controls to prevent sharing CUI (where possible). Not sure how to get started? RSM’s integrated CMMC services team can validate the flow of CUI/covered defense information throughout your boundary and help develop risk management practices to manage ongoing ESP compliance.

3. POA&Ms allowance

OSCs must achieve at least an 80% compliant rating against the 110 security requirements in order to obtain a confidential certification. That said, within 180 days, each open item must undergo and pass a POA&M closeout assessment to achieve full compliance. 

Why it matters?

  • This requirement enables OSCs to adapt to emerging threats and implement operational improvements within their cybersecurity programs. Validating remediation is a core tenet of effective risk management and continuous monitoring.

What can you do?

  • Implement a risk management program and accountable party to ensure that POA&Ms are identified in real time and a proactive remediation strategy is designed and implemented within the 180-day period.

4. No exemption for international contractors

Domestic and international organizations will be subject to the same CMMC requirements. No additional time or special accommodations or tailoring will be granted to international contractors.

Why it matters?

  • This requirement introduces potential logistical concerns and additional costs to international contractors, and U.S.-based contractors with international locations and facilities that will need to define a global strategy to tackle their compliance journey.

What can you do?

  • Engage with a certified third party, like RSM, with international capabilities to scale and perform certifications domestically and abroad to ensure availability and timeliness of certification. Not sure how to get started? RSM’s integrated CMMC advisory and strategy services team can help you plan and execute your multinational engagement.

5. Role of the affirming official

The affirming official is responsible for ensuring and affirming the contractor’s compliance with CMMC security requirements at multiple phases in the CMMC lifecycle.

Why it matters?

  • While the rule does not specifically determine who must be the affirming official, it does clearly assign responsibility, accountability and potential legal liabilities to the affirming official.

What can you do?

  • OSCs should begin reviewing responsible and accountable roles for their CMMC journey and designate officials for affirmation statements. Not sure how to get started? RSM provides advice and services to strategically align your organization’s CMMC journey and business to support strategy moving forward.

Related insights

Contact our CMMC professionals

Complete this form and an RSM representative will be in touch shortly.

Cybersecurity Maturity Model Certification advisory services

Supporting government contractors throughout their CMMC compliance journey