The latest Cyber AB Town Hall centered on key developments in the ongoing CMMC program, providing valuable updates for organizations working toward compliance. With the CMMC Final Rule nearing publication, several important milestones and updates were highlighted. Below is a recap of the major takeaways from this month’s session.
TL:DR – Key Takeaways from the Town Hall:
- Key updates were provided on the upcoming CMMC Final Rule, expected to be published in mid-to-late October with enforcement beginning in December.
- New terminology was introduced, including the Organization Seeking Assessment (OSA), and updates were shared on the Certification Assessment Plan (CAP) and C3PAO reauthorization.
- The 3-Assessment Requirement for CCAs was dropped, and improvements to the CMMC marketplace are in progress.
- With the Final Rule fast approaching, organizations must act now to stay compliant!
CMMC Final Rule Timeline
The long-awaited CMMC Final Rule is expected to be published in mid-to-late October, with a 60-day effective date that could bring enforcement as early as December. The review process has moved swiftly, and NARA (National Archives and Records Administration) received the rule earlier than anticipated.
The 119th Congress, which convenes on January 3rd, 2025, will have the opportunity to review the rule via a look-back mechanism. However, with bipartisan support for CMMC, there is no expectation that the rule will be reversed or face significant delays. The Cyber AB has stated that CMMC can move forward without congressional approval. The CMMC program would be available to be voluntarily placed in contracts on the date it is published final (potentially October 2024).
New Terminology: OSA vs. OSC
During the session, the Cyber AB introduced a new term: Organization Seeking Assessment (OSA). This term is used to distinguish companies working toward assessment versus those working toward full certification (OSC). While the difference may seem minor, Cyber AB stressed that understanding this distinction will be important for organizations as they navigate the compliance process.
FedRAMP Memo Update
The town hall continues to place emphasis on FedRAMP-Equivalency Memo updates and its implications for organizations seeking CMMC compliance. This memo, which addresses the alignment of the Federal Risk and Authorization Management Program (FedRAMP) with CMMC, will provide additional guidance on how organizations can leverage their existing FedRAMP certifications to satisfy certain CMMC requirements.
The memo is expected to be published alongside or shortly after the CMMC Final Rule, and it may be updated at the time of its release or later, depending on evolving compliance needs. A key point raised during the town hall was that the FedRAMP Memo could serve as a point-in-time determination, meaning that while certain certifications may meet CMMC requirements initially, they may not be recognized later without re-evaluation.
Certification Assessment Plan (CAP) and C3PAO Updates
The Certification Assessment Plan (CAP) (a procedural guide for assessments) for Level 2 assessments is slated for release after the CMMC Final Rule is published, with Cyber AB prioritizing its development. The town hall also included updates for Certified Third-Party Assessor Organizations (C3PAOs), announcing that there are now 57 accredited C3PAOs, with more expected soon. These organizations will finally be authorized to conduct CMMC assessments.
Another key update from the Cyber AB was related to eMass, the IT system of record for CMMC assessments, which remains outside Cyber AB’s control. However, improvements to the CMMC marketplace are underway, aiming to enhance how content is displayed and updated.
Key Announcements from the Q&A
- The 3-Assessment Requirement for Certified CMMC Assessors (CCAs) has been officially dropped.
- Self-employed CCAs may face some additional challenges in verifying their experience.
- A new Code of Conduct is in the works for C3PAOs, as the current version is outdated.
- Updates are being made to the certificate design, refining its professional look.
What This Means for Your Organization
The new information shared during the town hall further clarifies the CMMC landscape, especially for businesses preparing for compliance. The introduction of terms like OSA and OSC, along with the forthcoming release of the CAP guide, highlights the importance of staying up to date on these developments. These updates will impact how organizations approach their CMMC assessments and eventual certifications.
How Ardalyst Can Help
With the CMMC Final Rule approaching, there’s no time to waste. Let Ardalyst guide you through this complex process, ensuring that your business is fully prepared. Our Tesseract program is tailored to provide cost-effective, expert-led support to organizations of all sizes working toward CMMC compliance.
Don’t wait—book your introductory call with our experts today and start your path to certification!
