What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

January 17, 2024

Comments on the proposed new CMMC rule

I spent some time this past week drafting comments on what I consider the most worrisome aspect of the new CMMC rule: scope creep and its impact on the cost of CMMC. You can read the entirety of my comments at https://www.regulations.gov/comment/DOD-2023-OS-0063-0042 but I'll give you a summary here:

The combination of three things in the proposed rule has greatly expanded the scope of compliance, and thus the burden of effort and cost:

  1. The newly-created data type "Security Protection Data" (SPD) which needs to be protected at the same level as CUI, although it is not in fact CUI.
  2. Requiring "External Service Providers" (ESPs) to be CMMC L2 certified if they process, store or transmit either CUI or SPD.
  3. Defining "Cloud Service Provider" (CSP) so broadly as to encompass many non-cloud models of hosting data and applications.

I urge everyone to read the proposed rule and submit comments on these and any other aspects that you believe need to be changed. DoD needs to hear the voices of the Defense Industrial Base -- everyone, not just the mega primes. Regulations.gov has a very useful tip sheet for comments, including these:

  • Read and understand the regulatory document you are commenting on (Remember that you are commenting on the CMMC assessment program, not on the requirements of NIST 800-171)
  • Be concise but support your claims
  • Base your justification on sound reasoning, scientific evidence, and/or how you will be impacted
  • Address trade-offs and opposing views in your comment
  • There is no minimum or maximum length for an effective comment
  • The comment process is not a vote -- one well supported comment is often more influential than a thousand form letters

The more people who comment effectively, the better the chance of getting some relief.

Meanwhile, if you need help with your CMMC preparation, you know where to find me!

Want more information? Check out my upcoming virtual CMMC workshops:


Wednesday, February 28, 2024
Tuesday, March 5, 2024
Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy