CMMC Program Rule Finalized

In what increasingly seems like an annual tradition, a federal agency released the final version of a major regulation in roughly the same time frame as the EDUCAUSE Annual Conference. The U.S. Department of Defense (DOD) took the honors this time by releasing the final regulations (i.e., the final rule) for its Cybersecurity Maturity Model Certification (CMMC) Program roughly a week ahead of the 2024 annual conference in San Antonio.^Footnote1 Often referred to as "CMMC 2.0" to reflect that it supersedes the interim final rule from 2020 that was originally intended to establish the program, the current regulatory framework sets the stage for the phase-in of cybersecurity certification requirements in DOD contracts to begin once the companion regulations to incorporate them into the DOD contracting process take effect, which will most likely occur next spring.^Footnote2

EDUCAUSE joined the Association of American Universities (AAU), the American Council on Education (ACE), the Association of Public and Land-grant Universities (APLU), and the Council on Governmental Relations (COGR) in submitting comments on the proposed CMMC 2.0 regulations toward the start of this year.^Footnote3 Although the final rule only includes a few, modest changes from among those that we requested, it locks in a significant victory for the higher education research community, includes a couple of key concepts that will help many institutions with potential certification challenges, and avoids introducing major new problems for our members.

CMMC Requirements (Essentially) Don't Apply to Fundamental Research

In providing feedback to the DOD about its proposed CMMC 2.0 regulations, EDUCAUSE and its sister associations applauded the recognition by the DOD that fundamental research generally does not fall under CMMC requirements:

In prior comments on the CMMC Program, our associations noted that the proposed treatment of "fundamental research"—the definition of which the DoD rightly identifies in the current rulemaking as deriving from National Security Decision Directive 189 (NSDD-189)—in relation to the program ran counter to the nature of such research and the DoD's historical recognition of it. We particularly stressed that fundamental research as designated by the department excluded Controlled Unclassified Information (CUI) as well as Federal Contract Information (FCI). Since the necessity of securing FCI and CUI served as the justification for the CMMC certification requirements, the higher education associations argued that fundamental research projects should be excluded from the CMMC Program.

The current rulemaking notice acknowledges the validity of the points we originally raised, which we greatly appreciate. As its analysis of the public comments previously submitted stresses, "Program requirements apply only to defense contractors and subcontractors who handle FCI and CUI on an information system associated with a contract effort or any information system that provides security protections for such systems, or information systems not logically or physically isolated from all such systems." The department's analysis further states that the definition of fundamental research that applies in this context excludes FCI or CUI, and thus fundamental research falls outside the scope of the CMMC Program except when ". . . DoD determines the information handled by contractors pursuant to the fundamental research contract activities is or will become FCI or CUI," which "may trigger application of CMMC Level requirements."^Footnote4

However, the exception under which the DOD could apply CMMC requirements to what are otherwise fundamental research projects definitely caught our attention, especially the language regarding the DOD possibly determining that information from a project may "become" FCI or CUI. In response, we argued that the department should work with the higher education research and cybersecurity communities to develop governing principles and a framework for identifying and addressing fundamental research "edge cases" in relation to CMMC.^Footnote5 We noted that the absence of a shared, objective basis on which to determine the limited number of fundamental research projects that might be subject to CMMC requirements would have a chilling effect on researcher and institutional interest in DOD solicitations for fundamental research. Given the problems posed by trying to apply CMMC requirements to projects once a proposal is already under consideration or after it has been awarded, institutions and researchers might have no choice but to be very selective in responding to contract solicitations in order to avoid having to decline contracts after they have been awarded or absorb unanticipated costs that they might not be able to manage.

Unfortunately, the DOD decided in the CMMC Program final rule to continue handling such cases on an individual, ad hoc basis. It noted that fundamental research edge cases are possible ("some DOD fundamental research may qualify as CUI."), which was never in dispute; rather than acknowledging the value of having an objective, systematic approach to identifying and managing them upfront, though, the analysis in the final rule simply urges institutions and researchers to "work closely with Government Program Managers to ensure a proper understanding of the data being developed and the appropriate markings and safeguarding."^Footnote6 In other words, if a researcher or an institution has any doubt about whether a fundamental research project could conceivably have CMMC requirements applied to it during the proposal review or after a contract award, their only course of action is the same as it is today, which is to engage in case-by-case negotiations with the program manager and/or contracting officer for the project in question at the earliest opportunity.

EDUCAUSE continues to believe that all concerned parties would be better served by a well-defined, appropriately structured process for addressing fundamental research edge cases. That said, the highest priority for EDUCAUSE and its sister associations in relation to CMMC from the beginning of its development was to ensure that fundamental research was not pulled into the CMMC Program. Having the general exclusion of fundamental research from CMMC explicitly addressed in the final regulations fulfills that priority.

Requirements Apply to Security Protection Data—but with an Important Caveat

In their feedback on the proposed CMMC 2.0 regulations earlier this year, members expressed surprise that the DOD appeared intent on treating security protection data (SPD) as CUI for CMMC Level 2 self-assessment / certification purposes. From the perspective of subject-matter experts in the EDUCAUSE community, the definition of CUI cited in the proposed rule did not apply to SPD, especially given the very limited characterization in the notice of proposed rulemaking (NPRM) of such data as "log data" or "configuration data."^Footnote7 EDUCAUSE and its sister associations therefore argued that the DOD should provide a much clearer and more detailed definition of SPD if it insisted on applying CMMC requirements to SPD in the final rule. We also noted that the DOD should revise the estimates of the cost of CMMC compliance provided to support the proposed regulations to ensure that those estimates adequately covered the inclusion of SPD under the requirements.^Footnote8

On the plus side, the DOD agreed with the necessity of defining SPD in the final rule and provided the following definition:

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (CMMC-custom term)^Footnote9

The downside of this step, however, is that the DOD agreed to provide a full definition of SPD because, from the perspective of the DOD, SPD was always in scope for CMMC Level 2 certification due to the inclusion of Security Protection Assets (SPAs) in National Institute of Standards and Technology (NISP) Special Publication (SP) 800-171 (NIST SP 800-171) cybersecurity requirements for CUI:

This rule does not regulate an [Organization Seeking Assessment's] OSA's SPD, but instead implements existing regulatory requirements for the safeguarding of CUI, as defined in 32 CFR 2002.14(h)(2) and implemented by DFARS clause 252.204-7012. The DFARS clause 252.204-7012 requires protection of security protection assets and security protection data through its specification of NIST SP 800-171. Section 1.1 of NIST SP 800-171 R2 states: "The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." There is therefore no increase in the scope as described in the rule, and no revisions to cost estimates are required.^Footnote10

The DOD further equates the SPD with CUI in the context of CMMC by stating that "SPD requires protection commensurate with the CUI it protects and is based on how and where the SPD is stored. The FedRAMP requirements for handling SPD are therefore the same as that for handling CUI."^Footnote11 However, the potential extent of this equivalency is mitigated by the CMMC scoping guidance that the DOD provides in 32 CFR 170.19, "CMMC Scoping." Part (a)(2) of 170.19 notes that "[t]he requirements for defining the CMMC Assessment Scope for CMMC Levels 1, 2, and 3 are set forth in this section."^Footnote12 Section 170.19 continues with Part (c)(1), which states, "The CMMC Assessment Scope for CMMC Level 2 is based on the specification of asset categories and their respective requirements as defined in table 3 to this paragraph (c)(1)."^Footnote13 Table 3 then defines the "CMMC Assessment Requirement" for "Security Protection Assets" as "Assess against Level 2 security requirements that are relevant to the capabilities provided" [emphasis added].^Footnote14 Consequently, given the governing nature of the guidance provided in Section 170.19, institutions will have to apply NIST SP 800-171 controls to SPD as they would CUI, but only those 800-171 controls that "are relevant to the capabilities provided" by the SPA from which the SPD stems.

No Change to the Parameters for Plans of Action and Milestones

The proposed CMMC 2.0 regulations included parameters for plans of action and milestone (POA&Ms) to allow for conditional certification at Levels 2 and 3 so that organizations close to full compliance may compete for DOD contracts while working to fulfill any remaining requirements. EDUCAUSE and its sister associations, however, viewed the proposed number and scope of requirements that could be addressed via a POA&M as overly restrictive and the time frame in which an organization would have to complete a POA&M as too brief to allow the entity to achieve compliance:

As currently written, the POA&M eligibility requirements would eliminate approximately two-thirds of the CMMC assessment objectives from being included in a POA&M, greatly increasing the chances of a certification failure when reasonable efforts could still be made to attain full compliance in a timely manner. . . . The heavily circumscribed set of objectives that would qualify for inclusion in a POA&M under the proposed rule likely would preclude researchers and institutions from contributing to DoD research where they appropriately could, and it may also unnecessarily increase the potential for compliance problems. . . .

Regarding the proposed 180-day time frame in which a POA&M must be completed, we understand the DoD's vested interest in having organizations that are operating under such plans move as expeditiously as possible to fully implement them. However, the experience of our member institutions in working through POA&Ms indicates that the proposed 180-day completion period does not match the actual time an organization acting in good-faith would generally need to complete a POA&M.^Footnote15

With these problems in mind, we argued that the DOD should omit restrictions on the requirements that an organization could address via a POA&M and increase the time frame for POA&M completion from 180 days to 360 days in the final rule. The DOD, however, decided to proceed with its original parameters for POA&Ms and incorporate them into the final rule:

The DoD does not accept the recommendation to change the criteria for POA&Ms or the timeline allowed to remediate open POA&M items. The 180-day period allowed for POA&Ms and the determination of which weighted practices can be placed on a POA&M was a risk-based decision. The determination considers the relative risk DoD is willing to accept when a particular practice is not met and the amount of risk the DoD is willing to accept for those security practices that go "NOT MET" for an extended period. The DoD declined to edit the rule regarding the closeout of security requirements that are not allowed on the POA&M as stated in § 170.21. The decision in this scenario is a business decision between the applicable C3PAO and the OSC.

Given the evolving cybersecurity threat, DoD's best interests are served by ensuring that POA&Ms remain open for no longer than 180 days, regardless of which controls are included or the plan for remediation.^Footnote16

A Modest Extension of the Phase-In Timeline

Many stakeholder communities have expressed concern that the phase-in time frame for including CMMMC requirements in all relevant DOD contracts does not allow enough time for certifying a sufficient number of CMMC Certified Assessors (CCAs) and CMMC Certified Professionals (CCPs) to meet the demand for CMMC Level 2 certification across all of the organizations that will need it. The higher education research and cybersecurity communities are no exception. EDUCAUSE and its sister associations clearly stated this point in our comments on the proposed CMMC 2.0 regulations earlier this year:

We note that it is not clear whether the DoD analysis of the estimated number of entities that will need a CMMC Level 2 Certification Assessment extends beyond prime contractors to include subcontractors and potentially affected [External Service Providers] ESPs. The total number identified in Table 3–Estimated Number of Entities by Type and Level—76,598—does not appear to be large enough in our estimation to account for the full population of entities that might reasonably be expected to seek certification. As a result, our member institutions have serious concerns about whether the supply of qualified assessors will be sufficient in the timeframe that the DoD has proposed for phasing Level 2 certification requirements into its project solicitations. The implications of any significant number of contractors and service providers being unable to secure the certification necessary to compete for affected contracts are fairly serious for both the DoD as well as the entities unable to achieve certification within the required timeline through no fault of their own.^Footnote17

Given the reasonable possibility that a number of colleges and universities might not be able to achieve certification in time to compete for contracts with Level 2 designations, EDUCAUSE and its sister associations proposed that the DOD extend the phase-in period for Level 2 requirements by two years or allow institutions to use Level 2 self-assessments to meet CMMC requirements through the end of the overall CMMC phase-in period.^Footnote18 The DOD declined to adopt either option in the final CMMC Program regulations. However, it did agree to extend the initial phase-in period by six months and have that change ripple through the subsequent phases: "DoD has updated the rule to add an additional six months to the Phase 1 timeline. Phase 2 will start one calendar year after the start of Phase 1, and Phase 3 will start one calendar year after the start of Phase 2."^Footnote19 (Per the program regulations, the fourth and final phase will start one calendar year after Phase 3.) The DOD accomplishes this by tying the start of Phase 1 to the effective date for the companion regulations that add the implementing terms for the CMMC Program to the DOD contracting regulations. So, although the final CMMC 2.0 program regulations will take effect on December 16, 2024, the first round of contracts with CMMC requirements as a condition of award will emerge in mid-2025.^Footnote20

No Industry Experience Requirement for Lead Assessors

EDUCAUSE members raised an innovative proposal for the requirements that a CCA would have to meet to lead a CMMC certification assessment. This proposal was included in the higher education associations' comments on the proposed regulations. Given the uniqueness of higher education research institutions in comparison to other potential defense contractors, our research cybersecurity community has long been concerned about whether CCAs and CCPs will have a sufficient understanding of higher education to conduct fair and accurate CMMC assessments of colleges and universities. Therefore, members recommended—and EDUCAUSE, along with its sister associations, proposed—that the DOD require Lead CCAs to have some background in the industry of the organization being assessed:

Appropriately interpreting and assessing NIST SP 800-171 standards in academic contexts requires an understanding of how they are effectively applied and implemented in diverse, often discipline-specific settings. CMMC assessment leaders and professionals that are not familiar with higher education research environments may produce negative assessment findings not due to actual information security deficits, but simply because they lack experience with how security requirements are validly fulfilled in those environments. . . .

With this in mind, we recommend that the DoD modify the requirement in the proposed rule for Certified Third-Party Assessment Organizations (C3PAOs) that concerns the composition of assessment teams (see the proposed 32 CFR 170.9(b)(13). This provision should require that the "Lead CCA" for an assessment team have industry-specific knowledge and experience in relation to the industry in which the [Organization Seeking Certification] OSC in question participates.^Footnote21

EDUCAUSE and its sister associations acknowledged that advocating for this requirement would add to the problem of ensuring the availability of an adequate number of CCAs to conduct all of the CMMC certification assessments that the program will need. We noted, however, that the importance of accurately conducting such assessments outweighed the potential increase in the CCA capacity problem, and that the DOD's acceptance of our proposals on altering the phase-in time frame would mitigate the issue.^Footnote22 Unfortunately, the department made only a limited adjustment to the phase-in timeline and was not willing to adopt the industry knowledge requirement for Lead CCAs:

The DoD also disagreed with a recommendation to require Lead CCAs to have industry-specific knowledge of the industry in which the OSC being assessed participates. The DoD found that this requirement would unreasonably restrict C3PAOs from participating in a broad range of assessments and could have a negative effect on the ability of the DIB to schedule CMMC Level 2 certification assessments. The OSC can select a C3PAO with the experience it considers valuable.^Footnote23

Addition of "Enduring Exceptions" and "Temporary Deficiencies"

Both the proposed and final rules discuss "Specialized Assets," which is a concept that resonates  particularly with colleges and universities given that academic researchers may often rely on specialized equipment that cannot meet NIST SP 800-171 requirements:

Finally, Specialized Assets, which are assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment, are documented but are not assessed against other CMMC security requirements, as addressed in table 1 to § 170.19(c)(1).^Footnote24

Fortunately, the DOD connects the dots in the final rule between "Specialized Assets" and an important concept from NIST SP 800-171 that explains why such assets "are documented but are not assessed against other CMMC security requirements" using the term "Enduring Exception":

Enduring Exception means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of "fielded" systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and [Government Furnished Equipment] GFE may be enduring exceptions. (CMMC-custom term)^Footnote25

The DOD further notes that "Specialized Assets are a type of enduring exception and cover a broad range of circumstances and system types that may not be able to be fully secured as described in NIST SP 800-171 R2."^Footnote26

The inclusion of the specific reference to "Enduring Exceptions" in the final rule provides a welcome clarification that establishes how "Specialized Assets" as originally discussed in the proposed CMMC 2.0 regulations will be addressed in the context of a CMMC assessment. To the extent that research equipment has a sufficient connection to CUI to fall within the scope of a CMMC Level 2 assessment, the institution will need to document it as part of the assessment scope for review and discussion with the CMMC assessment team. Although the institution and assessment team may have to negotiate whether a certain piece of equipment meets the "Specialized Asset" definition, to the extent it does, it would qualify for an "Enduring Exception" from the 800-171 requirements, with the institution indicating how it will otherwise appropriately secure the asset in its system security plan.

Similarly, the final CMMC Program regulations include a definition for "temporary deficiency" that helps to clarify how institutions can handle minor, generally short-term deviations from 800-171 compliance:

Temporary deficiency means a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an "in progress" initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency. (CMMC-custom term)^Footnote27

With this concept in hand, the DOD highlights the distinction between POA&Ms and operational plans of action in the final rule and reaffirms the validity of the latter to address normal cybersecurity operations without triggering a new round of CMMC assessment:

The CMMC Program allows the use of POA&Ms. Section 170.21 delineates the requirements that may be addressed as part of an assessment with a POA&M, that must be closed out by a POA&M closeout assessment within 180 days of the initial assessment to achieve the assessment requirement for Final certification. . . . Security requirement CA.L2-3.12.2 allows for the development and implementation of an operational plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. The CMMC rule does not prohibit an OSA from using an operational plan of action at any CMMC level to address necessary information system updates, patches, or reconfiguration as threats evolve. These are different from POA&Ms permitted under a Conditional certification assessment. The DoD has updated the rule to make this distinction clear.^Footnote28

Conclusion

As previously noted, the final CMMC Program regulations will take effect on December 16, but the addition of CMMC compliance requirements to DOD contracts under Phase 1 of the CMMC implementation timeline will not occur until roughly the middle of next year. Even then, Phase 1 will focus on organizational self-assessments under CMMC Level 1 (which concerns FCI) and the aspects of Level 2 where the DOD views self-assessment against 800-171 requirements as appropriate. Consequently, institutions that will need Level 2 third-party certification of their compliance with 800-171 should have approximately a year and a half from this point to achieve certification before contracts with Level 2 requirements start emerging in earnest.

That said, the final CMMC regulations make clear that fundamental research projects will not require CMMC self-assessment or certification except for fairly unique edge cases in which fundamental research projects become entangled with FCI or CUI. Likewise, the addition of "Enduring Exceptions" and "Temporary Deficiencies" in the final rule should help higher education institutions and researchers manage CMMC requirements within the distinctive academic research context, where necessary specialized equipment that cannot meet 800-171 provisions and operational steps to address continuously emerging system or application updates are far from unusual. Although EDUCAUSE and its sister associations would like to have seen more of our proposed changes included in the final rule, whether in whole or in part, the transition of the CMMC Program regulations from proposed to final occurred without producing significant, last-minute surprises, which itself is a pleasant surprise that our member institutions can carry into the new year.

Notes

1. U.S. Department of Defense, Office of the CIO, "Cybersecurity Maturity Model Certification (CMMC) Program" (final rule), Federal Register 89, no. 199 (October 15, 2024). Jump back to footnote 1 in the text.↩
2. Jarret Cummings, "EDUCAUSE Raises Concerns about DOD CMMC/800-171 Assessment Rule," EDUCAUSE Review, December 15, 2020; U.S. Department of Defense, Defense Acquisition Regulation System, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)," Federal Register 89, no. 158 (August 15, 2024). Jump back to footnote 2 in the text.↩
3. American Council on Education, Association of American Universities, Association of Public and Land-grant Universities, Council on Governmental Relations, and EDUCAUSE, letter to the Office of the Department of Defense Chief Information Officer, "Comments in Response to Docket Number DoD–2023–OS–0063 / Regulatory Identifier, Number (RIN) 0790–AL49, 'Cybersecurity Maturity Model Certification (CMMC) Program,'" February 26, 2024. Jump back to footnote 3 in the text.↩
4. Ibid., 3. Jump back to footnote 4 in the text.↩
5. Ibid., 3–4. Jump back to footnote 5 in the text.↩
6. "(CMMC) Program" (final rule), 83114. Jump back to footnote 6 in the text.↩
7. ACE, et al., letter to DOD, "RE: Comments in response to Docket Number DoD–2023–OS–0063," 6–7. Jump back to footnote 7 in the text.↩
8. Ibid., 7. Jump back to footnote 8 in the text.↩
9. "CMMC Program" (final rule), 83219. Jump back to footnote 9 in the text.↩
10. Ibid., 83199. Jump back to footnote 10 in the text.↩
11. Ibid., 83197. Jump back to footnote 11 in the text.↩
12. Ibid., 83232. Jump back to footnote 12 in the text.↩
13. Ibid. Jump back to footnote 13 in the text.↩
14. Ibid., Table 3 to § 170.19 (c)(1) —CMMC Level 2 Asset Categories and Associated Requirements. Jump back to footnote 14 in the text.↩
15. ACE, et al., letter to DOD, "RE: Comments in response to Docket Number DoD–2023–OS–0063," 8–9. Jump back to footnote 15 in the text.↩
16. "CMMC Program" (final rule), 83133. Jump back to footnote 16 in the text.↩
17. ACE, et al., letter to DOD, "RE: Comments in response to Docket Number DoD–2023–OS–0063," 9. Jump back to footnote 17 in the text.↩
18. Ibid., 9–10. Jump back to footnote 18 in the text.↩
19. "CMMC Program" (final rule), 83213. Jump back to footnote 19 in the text.↩
20. Ibid., 83216 and 83092. Jump back to footnote 20 in the text.↩
21. ACE, et al., letter to DOD, "RE: Comments in response to Docket Number DoD–2023–OS–0063," 11. Jump back to footnote 21 in the text.↩
22. Ibid., 11–12. Jump back to footnote 22 in the text.↩
23. "CMMC Program" (final rule), 83123. Jump back to footnote 23 in the text.↩
24. Ibid., 89066. Jump back to footnote 24 in the text.↩
25. Ibid., 83218. Jump back to footnote 25 in the text.↩
26. Ibid., 83141. Jump back to footnote 26 in the text.↩
27. Ibid., 83219–83220. Jump back to footnote 27 in the text.↩
28. Ibid., 83133. Jump back to footnote 28 in the text.↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.