CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

January 17, 2024

Comments on the proposed new CMMC rule

I spent some time this past week drafting comments on what I consider the most worrisome aspect of the new CMMC rule: scope creep and its impact on the cost of CMMC. You can read the entirety of my comments at but I'll give you a summary here:

The combination of three things in the proposed rule has greatly expanded the scope of compliance, and thus the burden of effort and cost:

  1. The newly-created data type "Security Protection Data" (SPD) which needs to be protected at the same level as CUI, although it is not in fact CUI.
  2. Requiring "External Service Providers" (ESPs) to be CMMC L2 certified if they process, store or transmit either CUI or SPD.
  3. Defining "Cloud Service Provider" (CSP) so broadly as to encompass many non-cloud models of hosting data and applications.

I urge everyone to read the proposed rule and submit comments on these and any other aspects that you believe need to be changed. DoD needs to hear the voices of the Defense Industrial Base -- everyone, not just the mega primes. has a very useful tip sheet for comments, including these:

  • Read and understand the regulatory document you are commenting on (Remember that you are commenting on the CMMC assessment program, not on the requirements of NIST 800-171)
  • Be concise but support your claims
  • Base your justification on sound reasoning, scientific evidence, and/or how you will be impacted
  • Address trade-offs and opposing views in your comment
  • There is no minimum or maximum length for an effective comment
  • The comment process is not a vote -- one well supported comment is often more influential than a thousand form letters

The more people who comment effectively, the better the chance of getting some relief.

Meanwhile, if you need help with your CMMC preparation, you know where to find me!

Want more information? Check out my upcoming virtual CMMC workshops:

Wednesday, February 28, 2024

Tuesday, March 5, 2024
Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
The Net Effect, LLC
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert


The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy