The CMMC Proposed Rule and Documentation 

Written By Ben Mercuri
 

On December 26, 2023, the Cybersecurity Maturity Model Certification Program proposed rule was published in the Federal Register.  The proposed rule was made available for public comment through February 26, 2024.

This step is required by the Federal Government before being included in the Code of Federal Regulations (CFR). 

The CMMC program will be part of CFR Title 32 National Defense Part 170 (shorthand is “32 CFR Part 170”)

The rule was published along with a set of CMMC Guides and other supporting documentation.

The rule is likely to change because of public comment, but the primary intent and direction of the rule is unlikely to change.  Also, the impact the rule has on the MSP community is not likely to significantly change either. 

The following links are to the authoritative documents published in the rule.  These documents should be used from this point forward to begin preparing for CMMC.

32 CFR Part 170 CMMC Program

https://www.govinfo.gov/content/pkg/FR-2023-12-26/pdf/2023-27280.pdf

You may find it easier to read the document at Federal Register home page for CMMC: 

https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

The DoD released 8 guidance documents along with the proposed rule.  These documents are all considered drafts and are marked as Version 2.11.  Note that these documents did not significantly change from the documents that were leaked prior to the rule being published.

Notice of Guidance for CMMC: https://www.regulations.gov/document/DOD-2023-OS-0096-0001

CMMC Model Overview: https://www.regulations.gov/document/DOD-2023-OS-0096-0006

Scoping Guide – CMMC Level 1: https://www.regulations.gov/document/DOD-2023-OS-0096-0007

Scoping Guide – CMMC Level 2: https://www.regulations.gov/document/DOD-2023-OS-0096-0003

Scoping Guide – CMMC Level 3: https://www.regulations.gov/document/DOD-2023-OS-0096-0008

Assessment Guide – CMMC Level 1: https://www.regulations.gov/document/DOD-2023-OS-0096-0002

Assessment Guide – CMMC Level 2: https://www.regulations.gov/document/DOD-2023-OS-0096-0005

Assessment Guide – CMMC Level 3: https://www.regulations.gov/document/DOD-2023-OS-0096-0004

Hashing Guide (used during assessments only): https://www.regulations.gov/document/DOD-2023-OS-0096-0009

The DoD also published Assessment Reporting Templates.  These provide some insight and may be useful in conducting self-assessments.

CMMC Level 2 Pre-Assessment Reporting: https://downloads.regulations.gov/DOD-2023-OS-0097-0001/attachment_2.xlsx

CMMC Level 2 Assessment Results Reporting: https://downloads.regulations.gov/DOD-2023-OS-0097-0001/attachment_4.xlsx

CMMC Level 3 Pre-Assessment Reporting Mock-up: https://downloads.regulations.gov/DOD-2023-OS-0097-0001/attachment_1.xlsx

CMMC Level 3 Assessment Results Reporting Mock-up: https://downloads.regulations.gov/DOD-2023-OS-0097-0001/attachment_3.xlsx

Additional material was released that we have not included here.  For a complete listing of all the documents you can refer to a blog published at https://www.cmmcaudit.org/cmmc-rule-links-to-text-with-december-26-content/

 
Ben Mercuri
Previous

Introduction to CMMC 2.0 Overview Course
Next

What does it mean to be an MSP supporting the Defense Industrial Base (DIB)? (Part 1)