The Department of Defense (DoD) and the Office of Management and Budget (OMB) are expecting the release of a proposed Cybersecurity Maturity Model Certification (CMMC) rule in September 2023. This rule was originally expected earlier this summer, but once released will set the framework for CMMC. Since this rule has been highly anticipated, let’s cover what you can expect over the next few months and how you can prepare for the implementation of CMMC.
First off, let’s cover what CMMC is and what it means for contractors. For several years now, the DoD has been discussing the idea of a Cybersecurity Maturity Model Certification (CMMC) that would ensure contractors are complying with National Institute of Standards and Technology (NIST) guidelines for protecting Controlled Unclassified Information (CUI). CMMC will encourage the defense industry to migrate away from self-attesting to their cybersecurity status and require contractors to meet certain levels depending on the scope and amount of information at stake in each contract.
CMMC has had a long journey so far in its development, and is now on CMMC 2.0 as of the fall of 2021. The idea of this certification is it will require third party assessors to audit contractors to make sure they are in compliance with NIST-Standard 800-171.
CMMC mainly affects contractors and subcontractors in the Defense Industrial Base (DIB), meaning if you do business with the DoD and handle sensitive unclassified information then you will need to pay close attention to this requirement. Once CMMC is fully implemented, affected contractors will be required to achieve a certain CMMC level as a condition for contract award.
However, certain civilian contracts may add CMMC to the requirements as well, so it’s important all government contractors have a baseline understanding of what CMMC is and when it’ll start becoming a full-time requirement.
So, now that you know a little bit about CMMC, where does the final rule come in? Since the CMMC program has been reformed into CMMC 2.0, the Pentagon has been drafting a final rule that will mandate affected contractors who work with the department’s CUI to be CMMC certified. This rule has been highly anticipated for months by both government and industry alike, but there's still a lot to go regarding the rulemaking process.
Now that the DoD has submitted its plan to certify cybersecurity compliance to the OMB, the agency will take the next 90 days to review the rule. Once it’s reviewed, it will be published in the Federal Register under one or two classifications. Originally, it was thought that the CMMC rule could be published as an interim final rule, bypassing certain requirements under “good cause,” and it would take effect over the following 60 days. However, as of now, it appears as if the regulation will go the typical route as a proposed rule, meaning it includes a more involved comment and feedback process. This will extend the time it takes for the rule to be final, but this also indicates the DoD views this regulation as significant.
Both options require a period of taking open public comments into consideration, even if it’s considered an interim final rule.
While there is still a significant amount of time to go before the CMMC rule is finalized and will start showing up in DoD contracts, now that the rule is under review by the OMB, the framework is starting to become more tangible.
The industry has been split on how they are handling impending CMMC compliance as we wait for the final rule to take effect. Many contractors are taking a wait and see approach and laying low until the rule is published. However, others are being more proactive and are continuing with CMMC plans, having third-party assessors conduct assessments. The DoD has allowed this as long as the third-party assessors are credited by the Cyber AB and perform their audits in conjunction with the Defense Industry Base Cybersecurity Assessment Center.
We suggest you designate at least one person on your team to keep track of CMMC updates and start implementing a plan for once CMMC is rolled out if you haven’t started already. For the latest insights and government contracting news on CMMC and other requirements, you can check out our blog and sign-up for our monthly newsletter. If you have questions or concerns about implementing CMMC in the future or other GSA Schedule requirements, we would be happy to help.