Ready to Grow Your Federal Business? Request a Tech Tuesday Briefing with the Optiv + ClearShark team by contacting us.
CMMC Everywhere? Breadcrumb Home CMMC Everywhere? February 06, 2025 The US Department of Defense (DoD) has established the Cybersecurity Maturity Model Certification (CMMC), and as of mid-December 2024, the CMMC rules have formally gone into effect. At the same time, the DoD, along with the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA) have proposed changes in the Federal Acquisition Regulations (FAR) regarding the protection of Controlled Unclassified Information (CUI). The protection of CUI is the central them for the CMMC program, and it appears that the protection of CUI is going to gain importance across the US federal government, not just the DoD. The proposed rule was formally published on 15 Jan 2025, and now there is a public comment period until 17 Mar 25. You can find this proposed rule at: Federal Register :: Federal Acquisition Regulation: Controlled Unclassified Information Unlike CMMC, the proposed FAR rules do not create a full cybersecurity assessment and reporting mechanism such as CMMC, but it does require all contract offers to include FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems with some exceptions and creates a new Standard Form which will transmit the CUI handling requirements from the Government to the contractor. However, there are may similarities to both this new FAR language and CMMC, as you’d expect given that both enforce NIST SP 800-171. Specifically, under these new rules the contractor may be asked to provide their System Security Plan (SSP) to “demonstrate their implementation of the security requirements in NIST SP 800-171”. If you are a defense contractor, you have been working on this for at least a year as CMMC was becoming formalized. For those companies that are starting from scratch, the government is estimating that it may cost over $861K for a small business to become compliant, with an additional annual cost of over $500K. This number only goes up for larger businesses. A key difference between this proposed rule and CMMC is the assessment. Whereas CMMC requires either a self-assessment or external audit, that is then submitted to the DoD, this new approach does away with that requirement. Instead, the SSP may be requested by the government “on demand” to attest to compliance. It should be noted that NIST SP 800-171, 3.12.1 does require the company to periodically assess the security controls, which means that at a minimum some sort of self-assessment remains a requirement, as it will be documented within your SSP. Perhaps the most impactful part of the new regulations is the mandatory use of FedRAMP authorize cloud services. If the new Standard Form that identifies the CUI related to the contract is stored, processed, or transmitted by a Cloud Service Provider (CSP), then that CSP must be at a minimum FedRAMP Moderate. While there are now over 300 FedRAMP authorized services, there are likely many critical applications in use today that are not FedRAMP’d. Unlike CMMC, there is no discussion of a FedRAMP “equivalent” that would be an acceptable alternative to a FedRAMP authorized cloud service. What we have today is the proposed rules, and as we saw with CMMC, those rules may be substantially changed between now and formalization. If you are a contractor that works with the US federal government, I’d highly encourage you to read the proposed rules and to take advantage of the public comment opportunity. What will be interesting to see is if the government goes even further in the rules and implements CMMC across the federal government. As it reads today, I’d say that is unlikely. However, if over the next year CMMC is seen as successful, I wouldn’t put that out of the realm of possibility. There are already indicators that this discussion is going on within the Government. If forced to guess, I’d say that they will formalize the rules as mostly drafted, and then in a few years when CMMC matures (if it still exists then), we are much more likely to see it adopted across the government. As a government contractors, having consistency across the government is good, but CMMC does have a significant burden and has yet to prove itself as sustainable. I’ll end this with stating that CUI deserves to be protected. It represents data that if compromised may negatively impact the ability of the government to provide services to all Americans. I get that this will place a burden on all companies that work with the government, but I don’t think it is unrealistic to expect those that handle CUI to safeguard it. We can certainly debate on if the rules are too burdensome, ineffective, or alike, and those opinions should go into the comments back to the government. As with everything in federal cybersecurity regulations and compliance, Optiv + ClearShark will stay on top of what is going on the potential impact to our partners and customers. By: John Allison Sr. Director of Federal Advisory Services | Optiv + ClearShark John Allison spent 24 years in the Air Force, doing systems engineering, weapons research, program management, and intelligence analysis. He retired in 2015 and started his civilian career focusing on bringing to market compliant cloud solutions including DoD and FedRAMP offerings for both large companies and small startups. Throughout his career he's been called on as the technical and compliance expert and has a passion for bridging the gap between the Government's need for solutions and innovative non-traditional companies. Follow OptivLinkedIn: www.linkedin.com/company/clearsharkFacebook: www.facebook.com/optivincYouTube: www.youtube.com/c/OptivIncBlog: www.optiv.com/explore-optiv-insights/blog About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.
About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.