November 2024 CyberAB Town Hall Recap: Essential CMMC 2.0 Updates for Defense Contractors

CyberAB Town Hall Overview

32 CFR Final Rule Published

Hey there, welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke from Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Well, Brooke, we had another uh Cyber A B Town Hall, isn't that right? We did an October Town Hall of Awesome. Very cool. So we're we're here just uh breaking down the uh Cyber A B Town Hall um uh happenings and just kind of giving you our our take on it, our hot take. And um so that way if you miss the the meeting, the town hall, then you've got your updates. Absolutely.

Just trying to narrow it down to a few updates that uh our clients really care about.

Absolutely. So let's get into it. Um you shared with me uh a couple of the updates. So I'm just gonna kind of tee up some questions to you that our listeners might have and let you answer them. Sounds like a winner. Awesome. Well, you said uh that uh the 32 CFR final rule has been published. Is that right? It has been published, absolutely. What happened there? What's changed?

Implications of 32 CFR and Assessment Readiness

What do we need to know? Well, there's a lot that's changed. Uh and so there's uh there's we'll have another podcast to go over the changes of the 32 CFR final rule. Okay. Um but the the rule is final and uh it goes uh uh in effect on December 16th. Uh really uh it you know if you follow the number of days it was gonna be December 14th, but that falls on a weekend, so it's December 16th is the next Monday. So um, but it goes uh it uh assessments will be available uh on on December 16th. So or so that also depends on the CAP process when it comes out. I I think it'll be out before then. Uh the CAP is the uh CMMC assessment process as a whole gigantic, ginormous document that tells exactly how the assessors have to go through uh the assessment process. So, you know, very uh very good acronym there, the CAP. So the CAP 2.0 is supposed to be out, which will guide all that. I I don't see why it wouldn't be out before December 16th, but um, but yes, so CMMC is official. Uh it will go into effect on December 16th and assessments will be available, but not required yet. Okay.

Awesome. So what do you think the implications are for our listeners for businesses um looking to get certified or that have uh you know do you contracts? What are the implications for them?

M&A Activity and Compliance

Well, uh really the implications are that the assessments are available. There's a uh I can tell you that there's uh a bit of a shortage of uh C through PAOs, the organizations who do the assessments and assessors. Um so um we all kind of expect uh I say we all uh people I listen to I guess and anyway, kind of expect there to be a a bit of a rush and and people trying to get certified, especially uh especially as it as it moves on closer to the time that those are required and the that when that 48 CFR rule drops. So um uh and the point there is that if you're able to, if you're ready, don't bother if you're not ready, of course, but if you're ready uh to go through an assessment or a a readiness assessment, uh which would be something you do prior to the actual certification assessment. We've kind of discussed that on previous podcasts why you would do that. Uh but if you're ready for that, uh then I would go ahead and and uh get on somebody's uh on a C through PAO's calendar, which requires probably would require down payment, I would guess. But anyway, get on their calendar um and get a schedule set, and that way uh you're in line because who knows what's gonna happen uh mid-2025.

So I've got something here, uh a note to talk about um MA activity. Um uh what's that about?

Yeah, so one of the one of the it and it's really I think it's more of a clarification, not a really a change, but uh they did it did come out in this uh 32 CFR final rule. They talked about it in the uh Cyber A B town hall. Uh if there is a if there's any kind of significant activity um uh on your business system that you define uh that that you scope out for the CMMC assessment, um then that uh if there's a any M ⁇ A activity, that's that likely will change it'll change the business structure. Uh it'll also very well almost always changes the the infrastructure somehow. Uh also if there's any other system changes, you know, joining of networks or uh you move to the cloud or whatever it may be, those are significant changes. The MA activity was specifically called out too, but uh any of those changes are gonna require uh a new assessment. So if you've already been assessed and say you have your level three, uh excuse me, well, or level three, but level two certification, um then uh and and even really if you have your level one assessment complete or level two self-assessment complete and and uh uploaded, then uh a new assessment will have to be performed, whether it's self-assessment or uh certification assessment, because those are significant changes.

So they need a if you're going through an MA or anything like that, you need to make sure you have budget for that.

ESPs (External Service Providers) Clarifications

Yeah, yeah. And I think they called out MA activities specifically. I mean really just because there's so much of it going on right now. I know in our world, in the IT world, there's just a ton of it going on. Uh and we also see it with some of our manufacturing clients, you know, that have uh that have gobbled up other people or that got gobbled up, gobbled up. So absolutely there's a lot of MA going on. Yeah, yeah, it's hot. It is hot. Um it takes different forms also, you know. Uh some some MA comes uh, you know, some merger acquisition comes along and and they leave everything as is. Um uh and then there's not just a lot of change. There is change, of course, to the business structure and and who has who has that cage code and all that kind of fun stuff. But uh and then some come along, roll everything up, roll everything in together. There's all sorts, but those are changes that will require a new assessment.

Yeah, I think we've seen uh for most of our uh DOD, I would say small and mid-sized um businesses that uh have been gobbled up. Uh most of them actually kept the infrastructure um and the business entity for the most part just um as is. They did. There are quite a few of those that did. Absolutely. I don't think we've seen a lot that um did a full transition because I think it's just uh a little more simple to and and to keep things compliant as well, just uh you know, as it's a complete different entity. Absolutely. Yeah. So uh ESPs were called out as well, you said.

ESPs were called out. So uh with the proposed rule, um there there was a lot of waves made in the comments and everything, because they that with the proposed rule, they basically uh uh if if you provided um any sort of uh service uh to uh uh to a organization seeking assessments, we'll just say OSA, okay? Um if you provided any kind of service to them uh that secured their data, secured their CUI, uh secured the configurations or had configuration data, or of course that had uh that processed, stored, or transmitted FCR, C UI, then then you were an ESP, and ESP was this giant umbrella of everybody. Uh CSPs, cloud service providers like Microsoft and Google and tons of others, uh are are also ESPs. So there's a giant umbrella term, and so uh for CMMC, if you're you're an ESP, if you st store transmit or um process C UI or FCI or C UI uh or if you have uh security protection assets or security security protection data uh for that client. So um and as such, uh uh if you're an ESP uh and fall under that, then you either had to be if you're a CSP, of course this didn't change, but you're gonna have to be FedRAMP moderate, authorized, or equivalent. That's a whole uh that could be a whole podcast episode in itself, but uh there's a difference there and it matters. It it matters in the cost of the of the program of the uh assessment and everything. But the other thing for the for the rest of the ESPs that are not a CSP, uh that meant you had to be uh level two certified before the OSA could could even go seek assessment. And not only did we ha as an ESP, as an IT provider, have to be level two certified before our OSA could, uh our client could go seek uh assessment or certification, uh, but any service that we used also had to be uh level two certified, or depending if if it was a CSP, it had to be of course FedRAMP moderate. But um so it it that impacted a lot and it really shrunk the services down to uh uh sorry for the uh noises, the the uh sound effects there. The way we amplify them on the on the editing, yeah. Right. Uh but it it really shrunk that down to just a few enterprise services, which was uh it it's not that's not good at all for uh SMBs. Especially for uh from a cost standpoint. From a cost standpoint, uh yeah, everything. So it's not good for us because none of those uh enterprise type um solutions that would be left are uh meant for small businesses. They're hard to manage for, you know, if you have a whole bunch of small entities you're trying to manage, it makes it tougher. But what this uh proposed rule, or excuse me, what the final rule did, sorry about going on and on, but what this final rule did um was it narrowed that back down and said that we don't have to be we don't have to be L2 certified or we don't have to be the same level as our client. However, all of our systems in question that fall under the ESP status uh will have to be assessed along with the clients. So uh if you have a bunch of uh a bunch of clients that are uh seeking assessment or certification, uh then um then it might be best to go ahead and get L2 certified, so that's just a lot easier for you and um and you don't have to go through that uh that fund process, you know, 10, 20, 30, 100 times, you know. Um it'd be best to be L2 certified, but we don't have to be. So but your sis to to clarify your systems will be assessed along with your clients. The systems in question.

The Risks of Failing an Assessment

Yeah, yeah. So if you if you have an IT company or um uh anyone else that might be considered an ESP um that isn't uh L2 certified, um they could make you fail an assessment because their computer uh network and infrastructure is not in order. Is that what you're saying?

Yes. Yeah. Yeah, I mean if uh they'll exactly. Because their systems, uh their systems that are in question that uh that um that fall under the SP status are going to be assessed along with that uh uh organization seeking assessment or certification.

Yeah, so my personal opinion on this is um if I was gonna spend um forty to sixty thousand dollars on a C3PAO uh or anyway, to have a assessor come out. Um and my IT provider told me, um, yeah, we're good. You know, just good old thumbs up. Um I might want to put some effort into uh making sure that thumbs up is um not just a wink and a nod, you know, because then you're they're gonna that money that came out of pocket's gone. Yeah, yeah, yeah, absolutely. And what are again are the um issues of filing an assessment?

False Claims Act and Compliance Accountability

Uh is that your well the implications of that for uh well the implications so if you I mean you've got you'll have a POEM uh for 180 days and um assuming now there are things that can't go on the POM, so if you if you don't meet and can't fix the things that uh can't go on the POM that you haven't that haven't been scored as met, uh then um you've probably got a very limited time to be able to prove to the assessor that it's that it's uh that it's actually that that control is actually met. Uh so aside from those, if you have stuff that can go on the POM, uh then you've got 180 days. And after that uh you you just lose your assessment, you have to go back through the whole thing again. Um if there was a you you you can't be awarded a contract until you have that certification in place. So if you're if you're depending on that certification uh to be able to get that next contract, then you're out of luck there.

So it can impact the revenue, obviously. Obviously, yes, sir. So I think I think uh this is again just Austin Just's opinion. Um I think uh watch out, y'all. We're getting controversial here. But uh what I'm trying to say is um I think this is a good change ultimately, um, because it uh allows for nuance. Um but what it does effectively is shifts the burden to the the entity seeking certification, um, or the liability rather. So because otherwise uh if your ESP was certified, then you're just good to go. If they're not certified and they're giving you the thumbs up and you're seeking certification, then that introduces a liability for you. Um Did you agree with that?

Yeah, yeah, it does. Uh and you know, it it really all goes back to something we've said. I I think in every podcast, all the hundreds of podcasts we've done, well not really, just the the few podcasts that we've done so far, um, it goes back to something we've said in every one is is preparation. Yeah. You know, preparation, preparation. You've got to prepare it, you've got to document. Um, and so part of that preparation is making sure all the pieces are ready to go. Uh and part of those, if you have a, you know, an IT provider, an ESP that helps you out, um, then uh part of that process is gonna be making sure that um they are ready as well. Uh and if it if they're um it may require you bringing somebody in for uh kind of a readiness assessment to verify everything's good. It may uh require you uh just hiring a an RP, an RPO, a registered practitioner, registered practitioner organization, uh something, somebody who has some idea to come in and verify that everything's in place uh before then. So lots of preparation.

48 CFR Proposed Rule and Rollout Timeline

Okay. Cool. I just I thought that was kind of a um a big change with some nuance there that I want to kind of explore. So absolutely. Okay, cool. So moving on, because I think we uh beat that one to death there. Um hopefully that's not bad to say for Google. God forbid we'll get demonetized with all of our reviewers out there. Wait, wait, we're monetized? No. Um so the 48 CFR proposed rule revision, um, what happened there?

Uh the 48 CFR? Yeah, yes. Uh so um uh there that proposed rule, uh it's proposed right now. Uh it uh went through the uh comment period. Um uh so whenever uh it's it's expected to go if you follow the process like they've uh like they if you do the average number of days and all that kind of fun stuff, really it would probably be the end of next year before we see the final uh 48 CFR rule. What I'm hearing though, uh what everybody kind of says is that, and and Cyber A B said this, I believe, uh in that meeting, uh, is that they expect it early to mid uh 2025, uh which is a little bit quicker than normal. Uh but it's a it's pretty simple. It's just uh the 48 CFR rule is what puts the 32 CFR rule that was just went final, it's what puts that in place on contracts. So CM CMMC is official. The 48 CFR rule uh uh takes that official CMMC uh program and puts it in place on contracts. Uh so uh when it goes final, there'll be a uh period um every f there'll be four phases. Every phase starts a year after the beginning of the of the one previous. So uh phase one starts, it'll go for a year, phase two starts, uh goes for a year. Phase one um uh are self-assessments basically. Uh and there they did leave some wiggle room in all these. So they left some wiggle room to say that uh, you know, we may we may require self-assessments, uh, but there may be some that we choose, some contracts we choose that we say these have to have um these have to have uh certification assessments, right? Uh so they could these certification assessments could come earlier. Um they also said that they may uh on some of these they may leave the uh uh certification assessment uh they uh to an option year on the contract because contracts have uh contracts are for one year and then they have four option years after that, just in general. Um so uh that's how they may do that. But phase two is where the uh certification assessments start being required on contracts. Technically, you would think that wouldn't be till 2026. However, I have no doubt that and the Cyber A B said this, is that uh they don't know how the um how the primes are going to require that or need to require that over their subs. So the prime contractors like like E D Bell, Raytheon, you know, they they may need to get their some of their subs, all their subs, you know, who knows, but they may need to get some of those uh level two certified before phase two kicks in, uh, because there may be some reason they r require it. Uh so that's really just kind of a rough timeline. Uh, but that's what that's what the 48 CFR rule is and what they're kind of expecting from it. Uh and it it puts it it puts all this in place on contracts.

What would you say if you're you know running a business out there you're seeking assessment or soon to be uh what is the uh the takeaway for that for you? Like what would you do now?

Uh well um you can In terms of the 48 CFR. In terms of the 48 CFR rule. Oh, okay. Uh as far as as in terms of the 48 CFR rule, um uh really that's when the rubber really meets the road. I mean once once it's required on a contract, uh you have to have that uh we're talking about level two certifications because those are the tough ones. And there's there's uh you know there's gonna be level one and level two assessments, and and by the way, they're uh they're talking a lot about the False Claims Act. So if it's if you have a self-assessment and you upload it, be very cautious that you have actually gone and done the assessment yourself and gone through uh the for instance for uh level two self-assessment, gone through the NIST 800-171 uh A, which is the assessment guide. So um make sure you've gone through that, make sure you've assessed yourself properly. It's not just a check, I meet it, I meet it, check, check, check, check. It is it is not that at all. Uh so you've got to go through that, you've got to do it. They're very serious about about the False Claims Act. Um so that said, the the examples they have out there with the I know I'm kind of getting off on a rabbit, but uh they uh the the examples they have out there of uh False Claims Act uh being enforced, uh there's some uh universities that uh that they didn't just mess up and say, well, you know, we did this and it's this is how we did it, and the government said, well, that's not good enough. That they didn't that's not what happened with those universities. Uh what happened was they said they did it and they didn't even try. So uh and I'm sure they were part of it that they did, but there were some uh there in other words, there was a lot of it was very blatant. So uh I wouldn't be scared that you implemented something and the federal government. comes back and said no it shouldn't have been 1.5 it should have been 1.2 or you know whatever uh I wouldn't be too scared about that but just going off and checking the boxes is is uh is blatant and you should absolutely not do that. You should also understand so if you haven't taken time to understand how how all the controls and objectives work then you should you know figure that out and because if you've not even tried to do that and you go check boxes off then federal government probably have a problem with that too.

Jump in real quick not going back to the ESPs thing um that's another liability for you because if if you sent for example the SPRS um uh assessment um that you fill out and go through and answer all those questions say you just sent that to your IT provider they ran through it and said you know uh yes yes yes no no no no whatever sent it back you hurriedly went through it filled it out and submitted it and then you get assessed and then they cross reference that SPRS um with your assessment um and it's not matching up um then you could go to jail for that. Uh there yes you could get in trouble for that absolutely yeah I think it's just important um because I know we're in the weeds a lot talking about the compliance um and and IT and um physical controls aspects and stuff of it. Um but we need to sometimes check ourselves and go, what the government is trying to do is keep North Korea, China, Russia from you know attacking our infrastructure and this could affect you know from their perspective and probably rightly so people's lives um um and and you know wars and they're coming at it from that perspective this is absolutely to protect the warfighter it is yeah and so uh it's kind of a big deal to them. Yes. So it is um it's not just about making sure your antivirus is installed and you have photolitis poam or SSP or whatever. Um so it you should probably treat it as such because they are going to. Absolutely yeah.

So fa the the False Claims Act is a big deal and they talk about it a lot and so um you'd figure if they're talking about it a lot it's for a reason. Yeah um be warned. If they're telling you right yeah uh to go back to the 48 CFR uh rule uh really uh what people need to know now is that uh it is coming the 48 CFR rule probably be out a little earlier than that otherwise normally would um they're trying to hold to their timeline they're trying to get all this stuff done uh and uh even though you know the timeline if you follow everything out probably 2026 early 2026 when they'll actually be on uh required on contracts uh then uh that doesn't mean it won't be required earlier by Prime Uh and so and and it takes if depending on where you are in your journey uh and with all the clarifications that have been made even if you thought you were compliant you know there may be some question now and you may have to go back and and fix some things. So it all this stuff can't happen overnight. Um so you know projects to move to the cloud projects to upgrade servers or you know whatever there may be needed that you know all those take time uh so uh don't don't wait you need to need to get on the you know uh get on that train and start getting those things done yeah absolutely and I think that would go back to preparation yeah it's all preparation yeah yeah that uh that is I think the we should maybe rename the podcast to prepare.

Um okay cool so does that do it for the 48 CFR? Okay awesome so um I think you already talked about it um but I had a note specifically to reference the the rollout timeline.

Flow-Down Rule and Subcontractor Responsibilities

Practical Preparation Tips

Um but do you think we kind of covered that sufficiently we did we kind of went over or we did go over it uh and I think that was uh pretty sufficient there's four phases each one starts a year after the ne the one previous began um that said there are some caveats some fairly important caveats uh so yeah uh who knows the main one being uh you know there's there's a lot of people that are a lot of companies that are prime that are uh subcontractors of primes and that ball is up in there who knows when you're gonna be required by the Prime to be L2 certified so yeah okay I'll tell you what we'll do this Stacy um we've got uh um that 48 CFR um PDF that we put together um that's free information for people we can drop that below um a link to that so that way if anyone's um uh curious about that and it's got the timeline kind of estimated in there um we'll just put that and it's all free information we'll put that in the description that's good yeah uh the um the only other thing I just thought of that uh they kind of mentioned that the Cyber A B Town hall um but is also in there is uh is flow down uh is you are required uh the primes are required to make sure all their subs are whatever level they need to be level one self-assessment level two self-assessment level two um certified which is level two C through PAO is what they call it um or level three C through PAO uh so uh so the primes have to make sure their subs are at the proper levels have the proper assessment in place or the proper certification in place. But that also means that all the subs have to make sure their subs uh have uh have the appropriate uh assessment or certification so depending on if you're if you are a sub and you have to be you find out you have to be level two certified uh then you have to figure out your subs you know do they do you send any FCI or CUI to them um uh you know then they're gonna have to be at the same level as you technically if you just send them I don't I'm sure there are some uh situations this might be but if you just send them FCI which would be non-public contract information basically um if you send them FCI but not CUI then uh then it's possible if you're level two certified they only may only have to be level one but uh in general all the situations I can think of if you have a sub and you're sending them any of that FCI or excuse me C UI anything that be giv it could be construed as C UI if it's if it's done in performance of that contract for the federal government then it's probably going to be called CUI. So uh they'll they'll all have to be um you have to make sure that they are in the got the right certification. So uh it all flows down everything you say it all rolls downhill I guess but uh definitely that flow down rule is a big one.

Uh so remember uh preparation is key if these changes feel overwhelming feel free to reach out to us call email text comment please um also as always um we want um audience involvement on the show obviously we don't do this live so there's no phone dial in but um if you just drop in uh on the comments if you email us um text us um on our uh the numbers on our website uh cmccompliance guide dot com um get us your question we'll answer it here um for free um so you don't have to pay us or anybody else so um we're happy to do that and encourage it so thank you guys for joining us today and I think that's it all right have a good one