The publishing of the 32 CFR Final Rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 by the US Department of Defense (DoD) was a significant leap towards averting rampant cyber-attacks across the defense ecosystem.  

The rule was published on October 15, 2024, in the Federal Register and became fully operational sixty days later. It underscores the government’s commitment to safeguarding defense information networks from unforeseen cyber breaches. 

Following its publishing, the 32 CMMC Final Rule was no longer a distant concept. It became a codified law that Defense Industrial Base (DIB) companies must now comply with as a basis for qualifying for defense tenders.    

The long-awaited 32 CFR Final Rule defines the controls DIB firms must satisfy to achieve CMMC 2.0 compliance. Besides, it highlights unique modifications and reforms from its previous iteration – CMMC 1.0.  

Here’s a comprehensive guide to the recently published 32 CFR CMMC Final Rule reforms.  

Demystifying 32 CFR Final Rule 

CFR is an abbreviation for the Code of Federal Regulations. It’s a codification of all the federal rules published in the Federal Register.  

CFRs include both tentative and permanent resolutions, provided that they’re legally binding to the relevant executive federal department or agency.  

Now, the CFR comes in multiple titles. Each title is assigned to different federal agencies.  

CFR Title 32 is one of the 50 in the Code of Federal Regulations. It contains codified publications of federal laws and regulations related to the US national security and defense.  

The 32 CFR title addresses regulations on properly administering information concerning the US Armed Forces, intelligent services, and defense logistics. All the rules are operational as of their publication date.  

According to CMMC news, the 32 CFR Final Rule outlines the responsibilities and structure of the reformed CMMC framework. It contains all critical information defense vendors need to attain and maintain CMMC compliance.  

As with other titles in the Code of Federal Regulations, Title 32 is available in printed and digital formats. The online versions are accessible via the Electronic Code of Federal Regulations (eCFR).  

Title 32 is further split into two subtitles and fourteen chapters. Subtitle A contains four chapters, whereas Subtitle B has ten. 

Overview of the 32 CFR Final Rule 

The 32 CFR Final Rule no longer presents CMMC reforms in a conceptualized view. Instead, it firmly embeds the new updates within the DoD’s legal requirements.  

Defense contractors are legally obligated to meet all the specified controls in their respective DoD CMMC 2.0 certification levels.  

The 32 CFR specifies the reporting requirements that DIB companies must satisfy under the newly unveiled CMMC Final Rule. One highlight is timely incident reporting.  

To mitigate cybersecurity threats within their supply chain ecosystems, DoD vendors must report incidents promptly to the designated authorities. These include both successful and attempted breaches.  

The 32 CFR Final Rule also urges proper maintenance of critical records pertaining to cybersecurity practices. These include documents on a vendor’s measures to safeguard Critical Unclassified Information (CUI) and Federal Contract Information (FCI).  

The specific nature of information depends on the CMMC level for which an organization is seeking certification.  

However, despite publishing a comprehensive framework of the CMMC 2.0 program, the CFR 32 Final Rule doesn’t specify the modalities for incorporating CMMC controls into federal contracts. That will be addressed by CFR Title 48, commonly known as the Federal Acquisition Regulations (FAR). 

Delving Into 32 CFR Final Rule Updates

1. Updates on CMMC Levels

One of the most noticeable changes in the published 32 CFR CMMC Final Rule is reviewing the certification levels from five in CMMC 1.0 down to three.  

Here are the major updates for each level; 

• Level 1 

In CMMC 1.0, DoD contractors seeking CMMC compliance were obligated to enlist third-party assessments. That’s no longer the case.  

Organizations seeking CMMC Level 1 certification can self-audit, provided that they report their findings to the DoD for further scrutiny. 

• Level 2 

Level 2 embodies most of the reforms in the CMMC Rule.  

First, obtaining Level 2 compliance is mandatory for organizations that handle CUI and FCI. There’s also the introduction of compulsory CMMC third-party assessor organizations (C3PAOs) for organizations seeking assessment (OSAs).  

To help you attain CMMC Level 2 compliance, a C3PAO will need to scope out your cybersecurity architecture for threats and vulnerabilities. They’ll then recommend measures your organization must implement to comply with all the 110 controls outlined in the National Institute of Standards and Technology (NIST) 800-171, as well as all 320 practice objectives.  

However, a welcome relief here is the acceptance of conditional compliance.  

OSAs that cannot meet all the controls can invoke a Plan of Action and Milestones (POA&M). With POA&Ms, you have up to 180 days to address the inadequacies in each audit report. 

• Level 3  

Level 3 is the pinnacle of the new CMMC 2.0 framework, focusing on the most advanced cybersecurity threats to the defense network. It outlines requirements for DIBs to enhance threat detection and streamline incident response across their information networks.  

Per the 32 CFR Final Rule, OSAs aiming to attain Level 3 compliance must fulfill all Level 2 requirements plus additional controls.  

Besides, all cybersecurity audits under this level must be performed by a government-appointed professional. 

2. Compliance Requirements for Multiple Businesses

CMMC 1.0 emphasized compliance for companies engaging directly with the Department of Defense. However, this turned out to be a tactical oversight that hackers would later exploit, much to the DoD’s detriment.  

In the 32 CFR Final Rule, CMMC compliance will now apply to defense contractors and subcontractors.  

Every defense vendor classified above the micro-purchase threshold of $10,000 must now meet the DoD CMMC standards, regardless of size and location. It’s a strategic move to ward off threats across the defense industrial base.  

3. Clear Distinction Between ESPs and MSPs

ESPs and MSPs are common cybersecurity acronyms. They stand for External Service Providers and Managed (Security) Service Providers, respectively.  

The CMMC Final Rule defines ESPs as third-party organizations that provide services that support the contract performance or member services of DIB companies.  

According to the now-published 32 CFR Final Rule, external service providers safeguard various protection data on behalf of DIBs. Those include sign-in credentials and configuration data.  

Such information must be handled by or stored in an ESP’s IT networks for the organization to be deemed an ESP. It’s an ingenious move to streamline the management of IT services and incident response.  

Meanwhile, managed (security) service providers are ESPs that specifically provide cybersecurity services. Among their key roles include managing access control and actively scoping systems for threats.  

Going by this distinction, MSPs have a more dedicated role in fostering CMMC compliance. 

4. Clear Definition of CSPs

In addition to making a clear distinction between ESPs and MSPs, the 32 CFR Final Rule spells out the role of cloud service providers (CSPs).  

CSPs specifically avail of cloud-based services. Some of their key offerings include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).  

However, these services should meet certain criteria to be deemed CSP-originated.  

Notably, they must be delivered on demand and be remarkably scalable. They should also support broad network access and be readily available on the internet.  

Further, the 32 CFR Final Rule stipulates additional requirements for OSAs seeking CMMC certification for Levels 2 and 3. These conditions are particularly applicable where the certification process requires the utilization of a CSP’s Cloud Service Offering (CSO) for handling controlled unclassified information.  

First, the CSO must obtain a Federal Risk and Authorization Management Program (FedRAMP) authorization from at least the Moderate baseline. They’ll also need to conduct a FedRAMP Moderate equivalency assessment in liaison with a FedRAMP third-party assessor organization (3PAO).  

Results from these audits must be submitted to the relevant OSC as evidence of meeting the basic requirements for handling CUI. 

5. Exemption of ESPs From Certification

Another significant update in the 32 CFR CMMC rule is the exemption of external service providers from undertaking mandatory CMMC certification.  

However, this depends on the type of CMMC certification you’re aiming for. The DoD may require your preferred ESP to meet certain compliance requirements for any audit reports to be deemed valid.  

Besides, working with an uncertified ESP may have the provider’s assets evaluated for basic cybersecurity compliance during routine CMMC audits. This could prolong the audit timeline and increase the assessment fees.  

So, it’s not enough to insist on an ESP that’s up to date on the CMMC’s maturity processes and policies. They should also provide proof of CMMC certification.

6. Staffing Requirements for C3PAOs

The published 32 CFR Rule obliges CMMC third-party assessor organizations to engage at least two competent staffers before undertaking any cybersecurity audits. These include a Certified Professional (CP) and a Certified Assessor (CA).  

CPs and CAs must undergo rigorous training on the new CMMC cybersecurity framework to earn their respective certifications.  

According to CMMC news, three CAs must be part of each CMMC audit. Two of these will be active assessment team members, whereas one will play the role of quality assurance.  

Besides, the umbrella C3PAO they work for must be authorized by the Cyber AB and listed on the accreditation body’s official website.  

Wrap Up 

The eventual publishing of the 32 CFR Final Rule in October 2024 came as a game changer in the realm of cyber warfare. It’s a solid reassurance of the DoD’s commitment to intensify its campaign against cyber-attacks in the defense supply chain.  

However, the 32 CFR Final Rule features a raft of reforms requiring in-depth understanding. From redefining the assessment scope to outlining CMMC 3PAO’s responsibility, grasping these changes might require professional expertise.  

The best way to kick-start your CMMC 2.0 compliance is to enlist the services of an accredited CMMC third-party assessment organization. Insist on a C3PAO authorized by the Cyber AB and with proven success in implementing CMMC protocols.