I have completed my initial skim of the 470 pages of the 32CFR170 Final Rule. This will require more study. My comments here are preliminary and subject to revision. As time goes on, I will write to additional takeaways from 32CFR170.
Overall, I think this is a huge improvement over the proposed rule. It does not have the rampant poor editing that impacted prior iterations, and many requirements appear well thought out. In brief:
The fundamental precepts are as expected. CMMC requirements will hit contracts next year starting with self-assessment. They will apply to nearly every contract when fully rolled out for either a CMMC self-assessment or certification (C3PAO) assessment. The numbers projected by DoD are 4,000 self assessed, and 76,000 C3PAO assessed so heavily weighted towards certifications
Now the Affirming Official (formerly the Senior Official) will need to affirm (swear) that the reporting is accurate. Affirming things not true carries potential personal criminal fraud risk. The Affirmations can expect to be verified in a certification later. Choose wisely.
Surprisingly, the over-reaching massive expansion of certification requirements into MSPs and MSSPs and the expansion of certification/FedRAMP requirements has been rolled back some. Not completely. These requirements are now much more manageable and executable, especially in reference to Security Protection Assets (SPAs), which are no longer required to be assessed against the full stack of CMMC requirements (as long as they do not contain any CUI). This will allow many DIB companies to employ a host of excellent security tools that were previously off the table.
Contractor Risk Managed Assets (CRMAs) have also been redefined. Unlike SPAs, these must now be subject to all 110 CMMC controls, regardless of physical or logical separation.
An Operational Plan of Action (OPA) may now be used to record Temporary Deficiencies. Further discussion of Temporary Deficiencies will be forthcoming as the C3PAO community works to develop normalized approaches to the OPA. To date, we understand that 1) the OPA is distinct from the Plan of Actions and Milestones (PoAM), 2) temporary deficiencies are assessed as “MET” during an assessment, and 3) controls that have never been implemented are not eligible to be listed as temporary deficiencies.
The minimum number of assessors per assessment has been expanded from 2 to 3. Not devastating but will put further pressure on having enough qualified assessors.
The flow down where only FCI was involved was clarified to be only Level 1. Excellent.
The prohibition on CMMC instructors from consulting also threatens to decimate the available (and knowledgeable) instructor capacity. Perhaps we can get some “clarification” on this.
Phase 1 (self-assessment mostly) was extended to one year but those self assessments will be based on CMMC requirements and scoping. CMMC Self Assessments will have a minimum score of 88
The release of 48 CFR later this year or at the beginning of 2025 will impact certification assessment timelines for the industry. Phase I of the DoD CMMC Rollout will begin when the 48 CFR Final Rule is published.