The DoD’s CMMC program has had its fair share of complications and delays – no surprise there! It was first announced in June 2019, but it took until February 2020 for version 1.0 of the CMMC model document to be released. Finally, in September 2020, an interim rule was published. But then came the 850+ comments, and a restructuring of the program into “CMMC 2.0” in November 2021. So far, so good, but here’s where things get tricky. The DoD has said that the CMMC 2.0 rulemaking process could take 9-24 months. Which is a pretty wide range, right? Companies have been left wondering when that time frame will begin and what the timeline might look like. But fear not! The DoD has finally provided some clarity during recent speaking engagements and conferences.
Get ready, folks! The DoD has some exciting news. At their recent “CMMC Day” conference, they announced plans to supercharge the implementation process. By July 2022, they’ll have their documentation ready to submit to the Office of Management and Budget (OMB), and by March 2023, interim final rules will be in place. It’s all part of a phased approach to make sure the CMMC requirement is included in all DoD solicitations and contracts by October 1, 2025.
Some big changes are brewing, because the Department of Defense is gearing up to roll out their new Cybersecurity Maturity Model Certification (CMMC) requirements! Starting in May 2023, these requirements will start appearing in solicitations, but don’t worry – the DoD is taking a phased approach to ease everyone into it. In phase one, all offerors will conduct a self-assessment and affirm their compliance, and in phase two (still TBD), it’ll be self-assessments or third-party certifications depending on the type of data and required level. Stay on your toes and focused.
The DoD has spilled the beans: the third-party CMMC certification will last for a whopping three years! But wait, there’s more! Contractors will need to confirm their compliance annually. And where will all this juicy info be stored, you ask? None other than the CMMC Enterprise Mission Assurance Support Services (eMASS) database. And if you’re worried about your company’s street cred, fear not! The CMMC eMASS will automatically post a copy of your CMMC certificate to the Supplier Performance Risk System (SPRS). But shhh, don’t tell anyone, the detailed results of your CMMC assessment will be kept hush-hush.
Are you ready to level up? If you’re pursuing Level 3 or certain Level 2 programs, you know third-party certifications are a must. But don’t forget about the annual self-assessments required for Level 1 and some Level 2 programs! Just perform the assessment (with a nod from a senior company official), and submit the results and affirmation via SPRS. It’s that easy. And for those new to the SPRS game, creating an account is a cinch. Let’s get started on your compliance journey.
To all of the DoD contractors: It’s time to wake up and smell the CMMC coffee – it’s coming faster than you think. If you haven’t done so already, get your information systems ready for a CMMC assessment and maybe even do a self-assessment ASAP. With NIST 800-171 assessment scores posted in SPRS – you need to work on those gaps and update your score to reflect the current system status. The DoD is even planning on doing some “medium assessments” to make sure everyone’s reporting accurately. So get cracking and get compliant. It may cost you your current and future DoD contracts.
Conducting a thorough CMMC assessment can contribute towards improving the security of the Defense Industrial Base, and may also prove cost-effective. NIST has announced its intention to update NIST SP 800-171, the key document used to evaluate most CMMC assessments. Companies with CMMC certification before the NIST 800-171 update will only need to adhere to the current standard, Revision 2, instead of the upcoming Revision 3. This early certification may provide companies with more time to comprehend any changes and additional security controls before utilizing it for future evaluations.