top of page


DoD Proposed Rule published on 12/26/2023

Link to Rule

Brief Summary


Comment Period HAS CLOSED as of February 26, 2024

Now we wait and let it play out,


DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP).


When this 32 CFR CMMC Program rule is finalized, solicitations for defense contracts involving the processing, storing, or transmitting of FCI or CUI on a non-Federal system will, in most cases, have a CMMC level and assessment type requirement a contractor must meet to be eligible for a contract award.

Contract Eligibility:

Level 1 - Final Self Assessment with no POAMs

Level 2 Self Assessment - A Conditional (with POAMs) or Final (No POAMs) Assessment

Level 2 C3PAO Assessment - A Conditional (with POAMs) or Final (No POAMs) Assessment

Note here that a Conditional assessment with POAMs is only valid for 180 days from initial assessment.

Level Requirement Breakdown

CMMC Level Breakdown

Cloud Service Provider (CSP)

Cloud Service Provider (CSP) means an external company that provides a platforminfrastructure, applications, and/or storage SERVICES for its clients.

Assessment of Cloud Service Provider. An OSC may use a FedRAMP Moderate (or higher) cloud environment to process, store, or transmit CUI in execution of a contract or subcontract with a requirement for CMMC Level 2 under the following circumstances:

EASY SPEAK: You can use a Cloud provider if you have a CMMC L2 requirement and they can provide either item (i) or (ii) and (iii) below.


(i) The Cloud Service Provider’s (CSP) product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace.

EASY SPEAK:  The Cloud Provider must be listed on the FedRAMP Marketplace.


(ii) The Cloud Service Provider’s (CSP) product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate baseline (or Higher). Equivalency is met if the OSA has the CSP’s System Security Plan (SSP) or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix (CRM) that summarizes how each control is MET and which party is responsible for maintaining that control that maps to the NIST SP 800-171 Rev 2 requirements.

EASY SPEAK:  The CSP must provide an SSP that identifies how they currently implement the FedRAMP Moderate requirements - 327 controls and map them to the 800-171/CMMC controls - and a CRM with defined responsibilities.


(iii) In accordance with § 170.19, the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.

EASY SPEAK: The OSC must identify and reference the CSPs (a) FedRAMP Authorization OR (b) the CSPs SSP and CRM.

External Service Provider (ESP)

External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and / or cybersecurity services on behalf of the organization.

EASY SPEAK: Any non-employee that performs IT/Cybersecurity work for your company is an ESP.

If an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSC is seeking.

EASY SPEAK: The ESP's organization must be have either a Level 2 or 3

Rule Comments

CISEVE pulled out all the Comments that DoD has already answered, you can download them HERE.

There are 44 Comments listed under 24 categories.  If your question/comment can be answered from this list there is no need to submit the comment again.

bottom of page