For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.
Implementation suffered a delay in 2021 when the DoD announced it was suspending the current iteration of CMMC in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with the DoD. In its place, the DoD announced intentions to promote CMMC 2.0, which would reduce the certification model from five levels to three, remove additional controls under the initial program, and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) would be able to self-attest to the satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) would take a bi-furcated approach to certification, with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors would be able to self-attest to satisfaction. Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), would be subject to heightened requirements relating to the sensitivity of information transmitted under the contracts.
But ever since the DoD’s 2021 announcement, government contractors have largely been left in the dark about how and when CMMC will take effect, and what impact its implementation may have on business. As we look ahead to the remainder of 2023 and 2024, here is where the CMMC currently stands.
Rulemaking Publication and Timeline
The DoD has been delayed more than seven months in sending the completed rule package to the Office of Management and Budget (OMB) for evaluation. The DoD had predicted that the rulemaking process could take up to 24 months to complete, but the additional delay suggests continued disagreement within the DoD as to implementation. Complicating the process is that in addition to a draft 32 CFR rule, the DoD will also need to send a 48 CFR rule to support the implementation of CMMC through contractual requirements.
Following transmission to OMB, the draft rules will need to be evaluated and approved by OMB, which would then allow the DoD to publish the regulations as an “interim final” rule to become effective 60 days after publication. Alternatively, OMB could approve the CMMC regulations as a “proposed rule” and allow for a comment period of up to one year preceding the final rule’s effective date. Currently, the Fall 2022 Unified Agenda shows CMMC regulations in the “proposed rule” stage, with a notice of proposed rulemaking to publish in May 2023. That timeline, however, is of course subject to change as an interim final rule could speed up the calendar.
The timeline could also change because the 2022 National Defense Authorization Act (NDAA) required the clarification of the definition of Controlled Unclassified Information (CUI). This is important because the definition of CUI dictates contractor and government obligations under CMMC and various DOD regulations. The clarification should be provided sometime in 2023. Additionally, an update to NIST SP 800-171 is expected in 2023. The CUI definition and the NIST update will impact both CMMC and the current Defense Federal Acquisition Regulatory Supplement (DFARS) clauses at 252.204-7012, 252.204-7019, and 252.204-7020.
To be clear, since 2017 defense contractors have been required to follow cybersecurity standards. CMMC adds a verification requirement to that baseline mandate. During publication of the original CMMC, the DoD announced that the “certification” in CMMC would be conducted by CMMC Third-Party Assessment Organizations (C3PAOs), which would be authorized by the Cyber Accreditation Body. Yet, as we wait for a finalized rule, defense contractors have been left hanging with respect to whether their contracts will permit self-assessment or require assessment by a C3PAO. At this time, 35 organizations have been approved by the Cyber Accreditation Body to serve as C3PAOs. Several hundred additional organizations are currently being trained and evaluated, but depending upon when CMMC takes effect, demand for accreditation could sharply exceed supply.
What to Do While we Wait
Even though it is unknown which contracts will be covered by CMMC, contractors (whether prime contractors or subcontractors) should continue to prepare for implementation of the program. The requirements to institute the controls under NIST 800-171 have largely been required for defense contracts for a number of years now and, even if there are material changes to the CMMC program, the requirements for handling CUI are not expected to change. The only thing that really changes with CMMC going forward, is that your compliance will be assessed and accredited.
So, if your security framework is not up to standards, now is the time to start working towards alignment. If you are comfortable with your company’s alignment to NIST 800-171, follow through on annual assessments and start identifying potential C3PAOs that are either currently accredited or in the process of accreditation. Do not wait until publication of the CMMC to get started. Even an ounce of preparation can make a major difference as we proceed through 2023 and 2024.