A Brief History of CMMC
The Cybersecurity Maturity Model Certification (CMMC) builds on the 110 controls established by NIST 800-171, but with a crucial distinction: CMMC requires an independent third-party assessment conducted by a C3PAO (CMMC Third-Party Assessor Organization).
Since 2017, defense contractors handling controlled unclassified information (CUI) have needed to comply with NIST 800-171. Thus, these contractors have been expected to meet CMMC standards for the past five years. The question now is not whether they need to comply, but when strict enforcement will begin.
The Department of Defense (DoD) has made it clear that CMMC is both imminent and unavoidable. Defense contractors must work towards compliance or risk losing valuable revenue-generating contracts with the DoD. Using a CMMC Compliance Checklist can aid in preparing for CMMC readiness.
When Will CMMC Be Integrated into DoD Contracts?
CMMC is expected to be codified by the end of 2024 and included in contracts by the first quarter of 2025. Companies should not wait to begin their CMMC implementation plans. Since NIST 800-171 already forms the basis for CMMC, and prime contractors are starting to require CMMC compliance from their subcontractors, early action is crucial.
Preparing for CMMC Level 2
With CMMC set to appear in contracts by early 2025, defense contractors need to start preparing for compliance now. It typically takes 12 to 18 months for a contractor to become assessment-ready. Inaction is not an option. The bottom line is, that if you do not get CMMC Certification, you will not be able to win DoD contracts.
The timeline for meeting all 110 NIST 800-171 controls suggests specific steps a contractor should take as CMMC approaches finalization. However, the time and effort required will vary based on each contractor’s cybersecurity maturity level and the resources they dedicate to achieving compliance.
Protecting CUI is crucial to both NIST and CMMC compliance. Contractors must not only protect their CUI but also document their compliance efforts adequately. C3PAOs will assess this documentation, requiring a System Security Plan (SSP) that demonstrates how each objective is met, supported by sufficient evidence.
It’s essential to address any Plan of Action and Milestones (POA&Ms) by specifying the necessary technologies and procedures to close identified gaps. While C3PAOs may allow limited use of POA&Ms at the time of assessment, they are restricted to a few low-scoring practices. A minimum score of 80% (88 out of 110) is required for conditional certification, so reliance on POA&Ms to pass CMMC is not advisable.
After identifying unmet controls, contractors must take prompt action to meet those controls. POA&Ms are time-bound and will expire 180 days after the C3PAO assessment. These plans should document all proposed actions to remediate deficiencies, along with their respective timelines. Regular updates to the POA&M should reflect the progress of corrective actions, with a focus on closing any security gaps.
While organizations don’t need to achieve the highest possible assessment score by mid-2024, they should be close to it by then. NIST 800-171A already holds them responsible for meeting all the security standards included in CMMC. If they haven’t yet fulfilled this obligation, immediate action is necessary.
Intech Hawaii Can Assess Your CMMC Compliance Needs
Intech Hawaii provides a comprehensive CMMC 2.0 assessment timeline designed to help you achieve your compliance goals. For more information, reach out to us for a consultation with our compliance experts, who can answer all your questions about NIST SP 800-171 and CMMC 2.0.
