Navigating the 2024 CMMC Rules: Essential Updates for IT Managers

by

November 20, 2024

If you’re a business owner with a Department of Defense contract—or you’ve been considering bidding for a DoD contract—there’s big news on the horizon. On October 15th, 2024, the DoD published a new set of rules for the CMMC (Cybersecurity Maturity Model Certification) program it uses to govern cybersecurity and data handling for its vendors. The new 22024 CMMC Rules are designed to tighten security while streamlining the certification process.

All in all, the streamlined rules may make life a little bit easier for small and medium-sized businesses looking to bid on government contracts. But make no mistake, the government is very serious about maintaining security around its data, especially when dealing with national security matters. Getting certified and staying certified for the CMMC is hard work. Fortunately, managed IT service providers that are fully CMMC certified themselves can help you assess your operation against the new guidelines and bring your operation up to speed.

First, let’s talk about how the rules are going to change.

 

New 2024 CMMC Rule Changes:  A Summary

The new 2024 CMMC Rule Changes include several significant differences, including:

  • Reduction of Assessment Levels: When the DoD issues a contract, the government assigns it a cybersecurity level based on the information to be shared. The level will determine the cybersecurity precautions a vendor is responsible for. The new 2024 CMMC rule changes have reduced the number of assessment levels from five to three. This simplification aims to make the certification process more straightforward and less burdensome for businesses.
  • Assessment Levels:
    • Level 1: Basic Federal Contract Information () protection through self-assessment.
    • Level 2: General protection of Controlled Unclassified Information (CUI) can be achieved through either self-assessment or third-party assessment.
    • Level 3: Enhanced protection against advanced persistent threats, requiring an assessment led by the Defense Industrial Base Cybersecurity Assessment Center.
  • Plans of Action and Milestones (POA&Ms): Introducing POA&Ms allows businesses to obtain conditional certification while they work towards full compliance with NIST standards.

This explains the overall changes, but as always, the devil is in the details. Let’s dig a little deeper into what changes government contractors can expect.

 

Top 14 Takeaways from the new 2024 CMMC Rule Changes

#1—Implementation Timing: The rollout will happen in four stages, starting with self-certifications and moving to third-party assessments over time.

#2—Appeals Process: Disagreements with third-party assessments can be appealed within the assessment organization and then to the Accreditation Body, but not to the DoD.

#3—NIST SP 800-171 Revision: The DoD will continue using Revision 2 despite a newer version being available.

#4—Assessment Start Date: Official third-party assessments will begin in December 2024.

#5—Conditional Assessments: Contractors can receive conditional certifications if they meet at least 80% of the required controls and a plan to address the rest within 180 days, completing the Plan of Action and Milestones (POA&M).

#6—Annual Affirmations: Companies must file yearly affirmations of compliance, which increases the risk of False Claims Act violations if they are not truthful.

#7—Mergers and Acquisitions: Significant changes to a company’s system, like mergers, may require a new assessment.

#8—Level 1 Self-Assessments: Not needed if a Level 2 assessment covers the same scope.

#9—Small Business Compliance: Small businesses must comply with CMMC, and the DoD believes the cost is manageable.

#10—Foreign Company Compliance: Foreign companies must comply with CMMC just like U.S. companies.

#11—External Service Providers: Some service providers do not need Level 2 certification, but cloud service providers must meet FedRAMP standards.

#12—Accelerated Adoption: Some companies may need to comply with CMMC requirements earlier than others, depending on the nature of the contract.

#13—Pre-Award Protests: Contractors can challenge the required CMMC level designation before a contract is awarded.

#14—Prime Contractor Requirements: Prime contractors may require compliance earlier than the DoD.

Every contractor bound through CMMC will need to get a third-party assessment done by a certified CMMC assessor. The assessor then turns in that assessment to the DoD, so your company can maintain its certification. Demand for these professionals is high, so be sure to build time for the assessment into your schedule.

Now that we’ve covered the main changes occurring with this rules update, let’s talk about the cybersecurity controls you can expect at each new, streamlined assessment level.

 

Understanding the Cybersecurity Controls at Each DoD Level

Keep in mind your assessment level should be noted in your contract. By bidding for it and signing it, you certify that these cybersecurity controls are in place. You will be judged against these criteria when your third-party assessment is done.

 

Level 1: Foundational

Contracts issued at this level will not handle secured documents–only the basic information about the government contracts, themselves, called FCIs (Federal Contract Information). Still, these basic protections must be in place:

#1—Access Control: Organizations need to implement basic access control measures using Identity and Access Management (IAM) systems like Microsoft Azure AD or Okta, which help limit access to authorized users and manage user permissions.

#2—Identification and Authentication: They must verify user identities through Multi-Factor Authentication (MFA) solutions such as Duo Security or Google Authenticator.

#3—Media Protection: Protecting data stored on physical media is essential, and this can be done using encryption software like BitLocker or VeraCrypt.

#4—Physical Protection: Physical security systems, including access control systems and surveillance cameras, are necessary to restrict physical access to sensitive areas.

#5—System and Communications Protection: Organizations should use firewalls like Cisco ASA or Palo Alto Networks and Intrusion Detection Systems (IDS) such as Snort to monitor and control network traffic, preventing unauthorized access.

#6—System and Information Integrity: Finally, antivirus software like Symantec or McAfee and patch management tools like WSUS are crucial for detecting and remediating vulnerabilities and malicious software.

 

Level 2: Advanced

In this assessment level, contractors handle FCIs and Controlled Unclassified Information (CUIs). Because of this, extra layers of cybersecurity are required, including:

#1—All Level 1 Controls: Organizations must build on the controls from Level 1 and meet the NIST SP 800-171 standards.

#2—Audit and Accountability: This includes creating, protecting, and retaining audit records using Security Information and Event Management (SIEM) systems like Splunk or LogRhythm to monitor, analyze, and report on security events.

#3—Configuration Management: Configuration management tools such as Ansible or Puppet help maintain and enforce secure configurations.

#4—Incident Response: Incident response platforms like IBM Resilient or Palo Alto Networks Cortex XSOAR are essential for managing and coordinating responses to security incidents.

#5—Maintenance: Regular system updates can be performed using Remote Monitoring and Management (RMM) tools like SolarWinds or ConnectWise.

#6—Personnel Security: Ensuring personnel meet security criteria and are trained in cybersecurity practices can be achieved through background check services and training platforms like KnowBe4.

#7—Risk Management: Risk management frameworks like FAIR or tools such as RSA Archer are used to identify, assess, and manage risks.

#8—Security Assessment: Finally, vulnerability assessment tools like Nessus or Qualys are necessary for regularly assessing the security posture of systems.

 

Level 3: Expert

At this assessment level, companies are working with more sensitive data and processes and must demonstrate enhanced protection against advanced persistent threats (APTs).

#1—All Level 1 and Level 2 Controls: Level 3 compliance requires all the controls from Levels 1 and 2, plus additional measures to meet NIST SP 800-172 standards.

#2—Advanced Threat Detection: Organizations must implement advanced threat detection and response capabilities using Endpoint Detection and Response (EDR) solutions like CrowdStrike or Carbon Black.

#3—Continuous Monitoring: Platforms such as AWS CloudWatch or Microsoft Azure Monitor are essential for continuously monitoring systems for security incidents.

#4—Enhanced Incident Response: Advanced incident response tools like FireEye or Mandiant are necessary for handling sophisticated threats and coordinating complex incident responses.

#5—Security Engineering: Security engineering principles should be integrated into the software development lifecycle using secure tools like Checkmarx or Veracode.

#6—Supply Chain Risk Management: Finally, managing and mitigating risks associated with the supply chain can be achieved through supply chain risk management platforms like RiskRecon or Prevalent.

 

Follow Integris for More IT Thought Leadership

Stay ahead on the latest in IT! Subscribe to our newsletter for insights, trends, and tips tailored for tech-savvy professionals.

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as Technologyadvice.com, Datamation.com, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

The Business Impact of the AGCO Ransomware Attack

The Business Impact of the AGCO Ransomware Attack

On May 6, 2022, global agricultural equipment manufacturer and distributor AGCO announced they were victims of a ransomware attack. The cyber assault hit some of their production facilities on May 5. Restoring operations to normal will take several or more days. While...

RPA in Manufacturing: Is It The Future?

RPA in Manufacturing: Is It The Future?

For Factories Around the World, Robotic Process Automation (RPA) Is Already Here, and It's Making a Big Impact on Productivity Today, robotic manufacturing machines are a regular sight at even the smallest of factories. But the next big thing in manufacturing isn't...

CMMC for Manufacturing

CMMC for Manufacturing

By 2025, Every Factory Contracting with the Department of Defense Will Have to Complete a Cybersecurity Maturity Model Certification (CMMC). Is Your Manufacturing Firm Ready? If you're like most small or medium-sized manufacturing companies, you've heard about the...