Tune into our upcoming webinar, "CMMC, the Final Rule, and What it Means for Your Business" on December 11 as we cover all the information here and more.
It’s been quite a month for the Cybersecurity Maturity Model Certification (CMMC) saga. We’ve seen the final rule (32 CFR Part 170) released with significant changes from the draft version, an official date for the program to take effect (December 16th), and the start of an attempt to scuttle the initiative from an Alabama congressman.
All this leaves defense industrial base (DIB) companies wondering what 2025 will bring. Given how many twists and turns the CMMC saga has had over the past decade, I wouldn’t bet against one more late-inning plot twist.
Only time will tell!
The Final Rule brings big changes for ESPs and SPD
Two of the most impactful changes in the final rule concerned the treatment of:
- External service providers (ESPs)
- Security Protection Data (SPD)
Let’s start with ESPs.
ESPs & their compliance requirements
In CMMC, an external service provider refers to any third-party entity that delivers services impacting the confidentiality, integrity, or availability of Controlled Unclassified Information (CUI) that CMMC was created to protect.
It was believed that all ESPs would require the same level of certification as the company they were supporting. This was concerning for Managed Service Providers (MSPs), especially those with few DIB customers, who would be forced to choose between costly audits or losing customers.
The final rule clarified that ESPs who are not cloud service providers and do not process, store, or transmit CUI are not required to undergo CMMC assessments, but will be brought into audits as required.
It also confirmed that ESPs must have a Customer Responsibility Matrix (CRM) that outlines both their responsibilities and those of the customer regarding the services provided.
A clearer definition of SPD
As for Security Protection Data (SPD), the final rule provided a clear definition.
SPD is “data stored or processed by Security Protection Assets (SPA) that are used to protect an Organization Seeking Certification (OSC’s) assessed environment. SPD is security-relevant information and includes but is not limited to:
- configuration data required to operate an SPA,
- log files generated by or ingested by an SPA,
- data related to the configuration or vulnerability status of in-scope assets, and
- passwords that grant access to the in-scope environment.”
The final rule also modified the draft text which stated that SPD could only be processed or stored in the cloud by solutions that were FedRAMP moderate certified. This was a big win for MDR providers like Field Effect, but also for the DIB.
Before these modifications, many organizations would spend 2025 ripping out cutting-edge cyber defense solutions and replacing them with the few (and costly) FedRAMP-certified offerings on the market.
Provided the solutions can show that only SPD (not CUI) is stored, processed, or transmitted in the cloud, this change opens up the DIB to a much wider range of solutions, including:
- Endpoint detection and response (EDR)
- Managed detection and response (MDR)
- Security information and event management (SIEM)
This is a key point for Field Effect, our partners, and customers, as the optional physical appliance keeps the vast majority of data on-premises and within the auditing boundary of our customers.
Only the minimum SPD required for alerting and situational awareness is brought to our Google Cloud Platform-hosted portal, and customers can log in to the appliance to verify that the CUI under their control has never left their endpoints.
A phased rollout for CMMC
The CMMC Accreditation Body (also known as the Cyber AB) has made it clear they envision a phased rollout of the CMMC program to reduce potential chaos and maximize the program’s chances of success.
Implementers can expect a gradual, three-year implementation plan that will culminate at the end of 2027, with all applicable Department of Defense (DoD) contracts including CMMC requirements.
- Phase 1 begins on December 16, the effective date of the CMMC rule, and focuses on organizations requiring Level 1 and Level 2 self-assessments.
- Phase 2 will start at the end of 2025 when third-party assessments of organizations requiring Level 2 will begin in earnest.
This phased rollout was relieving to many organizations requiring Level 2 certification, as it provides some breathing room for them to ensure they’re meeting the control requirements before their first audit.
Next steps for CMMC compliance
But let’s not kid ourselves, preparing for CMMC is going to be a significant lift for many organizations.
Review relevant documentation
For those requiring Level 2, we recommend reviewing:
Understand the scope
Next, it will be important for organizations to understand the proposed scope of their CMMC certification. To do this, organizations will need to conduct a thorough analysis to determine exactly where CUI resides and how it flows through their organization.
Keeping the scope of the certification as small as possible is key to reducing both implementation and auditing costs. Many implementers will look to establish enclaves (virtual or physical) that separate their CUI-containing assets from the rest of their corporate IT.
Develop a system security plan
Another key task is to create a system security plan (SSP), which documents the company's current cybersecurity practices and outlines how they meet NIST-800-171 controls.
This is likely the first document a CMMC Third-Party Assessment Organization (C3PAO) will look at during the audit, so starting work on this early in the implementation process is a good idea.
Request help as needed
This might feel like a daunting task, but there are many strong templates available online and a growing number of CMMC Registered Practitioners (RPs) and Certified Professionals (CCPs) who can guide you through the process.
These experts can also conduct gap assessments to help identify areas where an organization’s current practices fall short of the CMMC requirements.
Approach C3PAOs early
One final note on the next steps: it’s not too early to start talking to C3PAOs, especially if you believe you’ll need to undergo an audit during the early phases of the program. There’s likely to be an initial shortage of assessment teams and selecting the right C3PAO for your organization is extremely important.
While the goal of CMMC and other compliance frameworks is to make assessments as objective as possible, it’s inevitable that different auditors will have varying perspectives on how well certain controls meet requirements and will interpret guidelines differently based on their backgrounds and unique contexts.
During the interview process, don’t be afraid to ask them about their auditing philosophy, and how they interpret sections of the final rule that matter most to your organization.
Field Effect and CMMC
At Field Effect, compliance is more than just a box-ticking exercise. We recognize the critical importance of the CUI handled by our defense customers and the channel partners who support them.
We’re eager to collaborate with stakeholders and C3PAOs to ensure our customer base can meet their CMMC compliance goals.
Earlier this year, we introduced the option to map AROs to the NIST-800-171 standard. We knew that many companies were understandably nervous about undergoing what, for many, would be their first external compliance audit. Helping them identify potential gaps in NIST-800-171 compliance and demonstrating how AROs could be used as evidence for their C3PAO were key in supporting both gap assessment and audit evidence collection.
As of the publishing date of this blog, the Field Effect Security and Compliance team is busy preparing a Customer Responsibility Matrix (CRM) for our MDR service. Once ready, the CRM will provide a solid foundation for our customers to build out their CMMC compliance program. The Field Effect CRM will be available with other compliance documentation on our Trust Center.
To learn more about CMMC and how Field Effect MDR can simplify your certification, reach out to our team.
