The Cybersecurity Maturity Model Certification (CMMC) 32 CFR Part 170 rule has been finalized and published on October 15, 2024. The rule does an excellent job at addressing contractor concerns over various issues. One of the most important changes is with the handling of deficiencies.
The rule section defines a ‘temporary deficiency’ as “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during rollout, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.”
One such issue is practice SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. The practice states, “determine if FIPS-validated cryptography is employed to protect the confidentiality of CUI.”
The SC.L2-3.13.11 Discussion paragraph states, “Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.”
Recent Comments