The day might finally be here—the Department of Defense (DoD) plans to publish a rule to start implementing Cybersecurity Maturity Model Certification (CMMC). After the DoD reshaped the CMMC program to better fit small businesses 2 years ago, industry and contractors alike have been anxiously awaiting a final rule to formally implement CMMC.
CMMC, which is intended to ensure contractors in the Defense Industrial Base (DIB) are meeting cybersecurity requirements for protecting Controlled Unclassified Information (CUI), will encourage the defense industry to move away from self-attesting their cybersecurity status and will have a more consistent way to measure how effective companies are at protecting their networks.
The DoD has been discussing releasing a final CMMC rule for awhile now, and while industry didn’t hold their breaths in September for the latest anticipated release, they are gearing up to see the final rule now that the White House finished its review. Let’s talk about how contractors can prepare for the CMMC final rule and what they should be watching out for when it’s released.
Final is never really final at first when it comes to legislation. When the rule is published in the Federal Register, it is more of a draft rule until the comment period is over. This rule is anticipated to be over 100 pages and a hefty document, meaning the DoD may extend the typical 60-day comment period for another 60 days. The comment period is expected to be extensive, with a lot to consider. Use this time to study the proposed rule, take in what industry is saying about CMMC and the requirements, and apply it to your CMMC plan.
No matter how large or small your company, it takes time to train your employees and get them comfortable with the idea of implementing new requirements. Regular training and awareness of basic and more complex cybersecurity measures can help ensure your company is well prepared when the final rule is released.
If the track record for the release of the rule is going to teach us anything, it’s patience. This rule has been pushed several times, and may be pushed again. When it does come out, you don’t want to be left scrambling while other companies took advantage of this time to prepare with what information they were given. While some companies are waiting for more guidance to be released, others are having third-party assessors conduct assessments. The DoD allows this as long as the third-party assessors are credited by the Cyber AB and perform their audits in conjunction with the Defense Industry Base Cybersecurity Assessment Center.
There is some speculation on how the final rule will address small businesses after CMMC program was modified to reduce the number of CMMC levels from 5 to 3. One thing to pay attention to when the rule is released is whether small businesses will have different requirements than large businesses. Small businesses are a key concern for DoD when developing CMMC, but it’s unclear what will be required of them. One thing we do know is the DoD will rely on prime contractors to ensure prime contractors are following CMMC requirements in their supply chains.
This rule likely will give more insight into how the DoD plans to implement CMMC over time. In August, a few CMMC documents were accidentally released, and they alluded to a ramp-up of certification requirements. It appears as though the roll-out of the requirements will start small but will quickly increase to a series of requirements. The documents could have been changed between August and the final release, so it’s important to take note of how CMMC will be rolled out so you can prep your plan accordingly.
Most other government agencies have been silent on whether they will adopt CMMC as well, but once the rule is released, they might start looking to implement it or similar variations based off of it. All agencies are facing issues with cybersecurity, and will eventually be pushed to find some sort of solution. If you are not in the Defense Industrial Base, CMMC may still apply to you in the future, so you should keep a close eye on other agency requirements in the future.
CMMC is one of many requirements that sets out to mitigate cybersecurity attacks and compromised networks. After Executive Order 14028, “Improving the Nation’s Cybersecurity,” was released in 2021, the federal government has been implementing ways to fulfill it. Recently, the Federal Register published 2 newly proposed Federal Acquisition Regulation (FAR) rules to establish cybersecurity procedures and policies, to name a few of the updates happening currently.
We know it can be overwhelming to keep up with all of these changing regulations. If you want to stay up to date on CMMC and other related insights, you can subscribe to our blog and monthly newsletter. If you have questions about preparing your contract for CMMC, our expert consultants are available to offer support.