Understanding the 32 CFR Rule

The 32 CFR Rule introduces several new regulations and updates that will directly affect defense contractors, particularly subcontractors in the Department of Defense (DoD) supply chain. Some of the key areas covered include changes to Plans of Action and Milestones (POAMs), FIPS encryption, external service providers (ESPs), and NIST 800-171 revisions.

Key Changes and Their Impact

1. Plans of Action and Milestones (POAMs)

A significant update in the 32 CFR Rule is the limitation on POAM timelines. Previously, businesses could set extended deadlines for completing security controls. Now, POAMs must be completed within 180 days (about six months). This change affects businesses in several ways:

• Certification Assessments: During an assessment, any incomplete controls must be addressed within the 180-day window. If your business undergoes a major network change or merger, you may need to update your POAM accordingly.

• Impact on Subcontractors: Subcontractors need to ensure they have well-prepared POAMs in place for any missing controls. Failing to meet the new timeline can delay certification, which is crucial for maintaining contracts.

2. FIPS Validated Encryption

The rule emphasizes the use of FIPS validated encryption, which is a stringent security requirement for handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It’s important to note that:

• Only FIPS-validated encryption modules are accepted. Compliant or similar encryption methods are not sufficient.

• Many current systems, such as Windows Server 2022 and newer versions of Windows 10 and 11, are not yet FIPS validated, making compliance more challenging.

• This requirement creates complications for businesses using newer software that has not yet been validated. Contractors may need to use older versions or await updates while maintaining documentation proving compliance efforts.

3. External Service Providers (ESPs)

External service providers (ESPs) that handle, store, or transmit CUI or FCI are subject to CMMC certification requirements. The challenge is that:

• Chicken and Egg Problem: Contractors need to ensure their ESPs are CMMC certified, but they can’t seek certification until their ESPs are certified. This creates a complex chain of dependencies.

• Businesses should prioritize working with certified ESPs or, if necessary, prepare to switch providers if their current ESPs cannot meet the compliance standards.

4. NIST 800-171 Revision 2

The new rule hardcodes NIST 800-171 Revision 2 as the cybersecurity standard for CMMC compliance. Even though NIST 800-171 Revision 3 is out, contractors should focus on implementing Revision 2 for the time being. This provides some stability while businesses adjust to the changes.

Preparing for Certification: Best Practices

For businesses in the early stages of their CMMC journey, here are the first three steps to take:

• Hire a Professional: Engage a certified assessor or registered practitioner who understands the intricacies of CMMC. This ensures that your business meets all the controls and objectives required for certification.

• Start Early: Don’t wait until the final rule is released. Begin implementing the necessary controls now, so you are prepared when certification assessments become mandatory.

• Focus on Implementation: The biggest challenge isn’t the assessment cost—it’s the implementation. Ensure you have the right solutions, personnel, and documentation in place to meet CMMC requirements.

The 32 CFR Rule brings about crucial updates that defense contractors must understand and act upon to remain compliant. From strict POAM deadlines to the complexities of FIPS encryption and ESP certification, businesses face several hurdles. By taking early action and working with experienced professionals, you can navigate these changes and ensure your continued success in the DoD supply chain.

Don't let the complexities of CMMC compliance slow your business down. Our team of experts at CMMC Compliance Guide is here to help you navigate the 32 CFR Rule and ensure your subcontractor certification process is hassle-free. Whether you're just getting started or looking to fine-tune your compliance strategy, we can provide the guidance you need. Schedule a free initial consultation today!