This article is provided by Core Business Solutions in partnership with IMEC.
If you contract with the Department of Defense (DoD), you’ve probably experienced some confusion over the last few years. In 2019, the DoD announced its new cybersecurity requirements for contractors–the Cybersecurity Maturity Model Certification (CMMC). Since then, the rollout has faced revisions and delays, leaving many contractors unsure of the future.
But now the DoD has announced a publication date for the final version of CMMC: March 2023. The DoD has also outlined a new schedule for the rollout of requirements to contractors.
What will this rollout look like, what will it mean for you–and is this really the final word on CMMC? Read on to learn more.
As a government contractor, you may have had questions over the last few years about CMMC. If you’re already familiar with CMMC and its purpose, feel free to skip ahead to the section below, where we break down the latest updates. But if CMMC is news to you, here’s a short refresher on the model and its origins.
America’s adversaries know it’s easier to exfiltrate information from defense contractors than from the DoD itself. The DoD has strict cyber protections in place for its own systems. But often, its contractors and subcontractors have fewer defenses. Bad actors can hack contractors to steal valuable information–such as Controlled Unclassified Information (CUI)–and in some cases piece together entire designs or plans.
To prevent such attacks, the DoD introduced stricter cybersecurity requirements for contractors. Foremost among them: CMMC. CMMC will require many contractors to prove their cybersecurity compliance with an official third-party assessment certification. All DoD contractors will need to certify to some version of the model.
The initially proposed model met with many criticisms, especially from smaller contractors for whom the requirements would entail a significant financial burden. The rollout date of CMMC was pushed back and an updated version of the standard (CMMC 2.0) was revealed in November 2021. You can read more about CMMC 2.0 in detail here.
At that time, the DoD announced a rule-making process of 9-24 months, leaving contractors with an ambiguous timeline. Now the department has set an official estimated schedule for the rollout of CMMC 2.0.
According to the DoD, the final rule for CMMC 2.0 should be published in March 2023, presuming the government’s rule-making process goes as planned. At that point, a 60-day comment period will ensue.
In the meantime, two important steps are currently underway.
1. Starting November, 2020 the DoD’s Interim Rule was released which requires all DoD prime contractors and sub-contractors to conduct a self-assessment of their compliance to NIST SP 800-171 and to submit those results into the Supplier Performance Risk System (SPRS) database. Having a “SPRS score” on file with the DoD is now a prerequisite to being awarded any contract with the DoD.
2. In 2021, the DoD began training and qualifying C3PAO organizations and their assessors to be ready to conduct formal CMMC 2.0 assessments next year. In preparation for that, the DoD’s DIBCAC (assessment team) is conducting joint assessments with newly trained C3PAO assessors on suppliers who agree to a 3rd-party “voluntary assessment” to NIST SP 800-171. The purpose of this is to ensure C3PAO assessors learn the assessment methods of the DoD.
3. Later in 2023, if things stay on schedule, formal CMMC certification requirements will officially begin appearing in defense contracts. This will mean that a full CMMC certification will become mandatory in order to be awarded a contract that includes this requirement. It will take three years for CMMC to reach all defense contracts, with a target date of October 1, 2025 for the complete rollout.
It’s possible. If you’ve been following CMMC updates over the last few years, you might feel wary of putting too much stock in these rollout dates.
But this is the most current information on the CMMC rollout, and contractors can’t afford not to take it seriously. The DoD also has an impetus to get the rollout going. The longer the delay, the longer the defense pipeline stays vulnerable.
Does it really make sense to start preparing now? The simple answer is: Yes. But what does that look like for you?
Now DoD contractors now have a tangible target for CMMC implementation: May 2023.
Because of all the delays and revisions to CMMC, many contractors have yet to prepare. If that’s you, the time to prepare is now. CMMC implementation doesn’t happen overnight. To successfully meet your May 2023 target, the sooner you implement, the better.
Start by figuring out which level of CMMC you must meet to keep your contracts. To help, we’ve written an article on which CMMC level is right for you. Essentially, it comes down to whether your company handles controlled unclassified information (CUI) or simply federal contracting information (FCI). If you only handle FCI, you likely only require CMMC Level 1.
If you require Level 2 or 3, you can count on the fact that you’ll need full 3rd-party certification when the requirement is added to the contract(s) you’re pursuing. If you’re not sure what might happen with your current contract, you can speak to your contracting officer for clarification.
At Core Business Solutions, we specialize in helping small businesses achieve cybersecurity. We know the burden of time and money that CMMC puts on smaller contractors. But we also know that with the right tools and the right help, any contractor can meet the requirements and keep their contracts.
Our team is made up of CMMC registered practitioners (RPs) who have completed the authorized CMMC-AB provided training in order to provide CMMC consulting help.
Many small businesses won’t want to face the time and expense of a complete overhaul of their IT network to meet these stringent requirements. As an alternative, our CORE Vault™ gives you everything you need to achieve CMMC certification in one cloud-based solution.
This cloud-based enclave comes ready-made to store and share FCI/CUI in a compliant environment. You will also receive the CORE Security Suite, including automated forms, customizable policy templates, and a score calculator to assess your readiness level. Our CMMC experts will provide all the support you need for full compliance.