CMMC 2.0 Proposed Rule

It is here! We finally have some rule making updates. If you are looking for the updated rule or guidance documents, start here:

Additionally – Comments close Feb 26, 2024.

One bit of interesting language:

If an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking. For example, if an OSA is seeking a CMMC Level 2 Certification Assessment the ESP must have either a CMMC Level 2 Certification Assessment or a CMMC Level 3 Certification Assessment.

External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data ( e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)