CMMC Rule CFR 32 is Final

September 23, 2024

Last week, the CMMC Final Rule (known as CFR 32) was released from OIRA, meaning no more changes can be made.

Since CFR 32 is considered a Major Rule, it will next undergo a Congressional review of up to 60 days, after which it becomes law. Any inaction by Congress results in it becoming law. The only way for changes to be made is for both houses of Congress & the President to overturn the Rule.

For defense contractors handling CUI, know that CMMC is here. If you have been waiting, this is your confirmation to get started.

What this means for winning defense contracts

The CMMC rule is on target to become law in Q4 and enter into contracts in early 2025. It requires contractors to prove CMMC compliance as of the time of award.

It also requires contracting officers to verify that the results of CMMC compliance are posted in the Supplier Performance Risk System (SPRS).

Note that DFARS 7012/ DFARS 7020 mandates that defense contractors pass CMMC requirements onto their subcontractors. This means even subcontractors must be CMMC compliant to be part of defense contracts.

CMMC will be phased in over 3 years, but it’s impossible to know which contracts will be subject to the requirements until they’re released, at which point it’ll be too late to become compliant. If you’re a defense contractor, the only way to ensure you can maintain your current contracts & win new ones is by completing a CMMC assessment.

What this means for CMMC assessments

CFR 32 is the rule that defines the CMMC program and enables CMMC assessments to begin. Until now, assessments have been conducted jointly by CMMC 3rd Party Assessor Organizations (C3PAOs) and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the JSVA (Joint Surveillance Voluntary Assessment) program. Once CFR 32 passes Congress, JSVAs will end and C3PAO assessments will begin. DIBCAC will continue to conduct C3PAO, CMMC Level 3, and DIBCAC High Assessments.

While the Cyber-AB still needs to release the CMMC Assessment Process (CAP) before assessments can begin, industry experts believe we should expect C3PAO assessments by mid-November. Many defense contractors have already lined up these C3PAO assessments and those who have not should do so soon because the C3PAO pool is limited and waiting lists are growing.

Are you in, or not?

If you’re a defense contractor, you need to decide if you wish to be part of the Defense Industrial Base ecosystem. If you choose to “wait it out” and see what happens with CMMC, you are effectively canceling the possibility of winning any contracts with the CMMC clause for at least 12 months – that’s how long it takes for a typical DIB company to prepare for and complete a CMMC certification. Note that this includes contracts on which you’re a subcontractor, since Primes are required to flowdown these CMMC requirements.

Waiting will only cost you time, money, and lost revenue. Some C3PAOs already have multi-year waiting lists.

Alternatively, getting CMMC compliant now will grant you a competitive advantage when bidding on DoD and Prime contracts.

Fundamentally, we are at what Intel founder Andy Grove called a “strategic inflection point” in CMMC. If you wish to win DoD work, then you need to get CMMC compliant. Failure to achieve compliance means choosing to be a spectator to the industry’s growth.

Next Steps

If your organization wishes to stay in the Defense Industrial Base, then you will need to become CMMC compliant. PreVeil can help.

PreVeil is used by over 1,200 defense contractors and provides a comprehensive solution to expedite CMMC compliance. It includes:

Technology Platform: Our Email and Drive platform protects CUI with end-to-end encryption. Meets FedRAMP Moderate Equivalent, FIPS 140-2 and DFARS 7012 c-g
Compliance Accelerator: We provide you with pre-filled CMMC documentation, assessor-validated videos and 1×1 support from our compliance exports
Partner Network: We support your organization through the entire compliance journey -from prep to assessment – with our network of CMMC consultants and auditors.

PreVeil supports 102/ 110 NIST 800-171 controls and walks you through how to meet the remaining controls. Our proven solution has been used by over 10 defense contractors and C3PAOs to achieve perfect 110 scores in tough DoD assessments.

To get the latest CMMC updates & learn how PreVeil can help, simply reach out to our team.

Contact sales

…. or schedule a free 15 minute compliance consult with our team.

Book a Compliance Call

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and CMMC Certified Professional (CCP) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

September 17, 2024

Countdown to Compliance: Demystifying the CMMC Timeline

CMMC

September 9, 2024

PreVeil Enables CMMC Level 2 Compliance with M365 Commercial

CMMC

September 6, 2024

Who is responsible for protecting CUI?

CMMC

The CMMC Rule is Final!

By: Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP