WHAT’S THE HUBBUB ALL ABOUT?
While the title of this article makes a bold statement, in full transparency, we cannot assert that we can make complete sense of CMMC, nor can we with certainty provide concise information on the status of rulemaking; we can provide you with the latest information as we know it (as of January 18, 2023).
The CMMC implementation goalposts may be changing again due to a delay in the federal rule-making process, basically coming down to either:
- accepting the Interim Final Rule (IFR) that became effective in November 2020 and implementing CMMC 2.0 sooner rather than later, which means an effective date relatively close to the May 2023 target or
- publishing as a notification of proposed rulemaking (NPRM ) requiring a full round of comments and delaying CMMC 2.0 implementation for at least another year, which means an effective date sometime in mid-to-late 2024.
A comment period would be required under NPRM, whereby that process takes an average of a year for completion. Under the IFR in 2020, it can be argued that there was a comment period, and thus, would be able to implement CMMC 2.0 sooner, possibly staying close to the original implementation date of May 2023.
The norm is to publish as an NPRM with the required comment period. However, the DoD feels it can make a compelling argument to go the IFR route and keep the current timeline relatively intact. According to Stacy Bostjanick of the DoD Chief Information Office, “We aren’t dead yet. It’s only a flesh wound!!! We may still be able to get an interim rule if we have a really compelling argument!!!”
While this is being debated, in the meantime, DoD contractors must maintain their course.
How Does this Change the Timeline for DoD Contractors
For the past year, many DoD contractors, known as Organizations Seeking Certification (OSC) in CMMC vernacular, have been using May 2023 as a target point for their CMMC readiness strategy and may wonder if their efforts have been wasted or if they should wait. Depending on the decision, whether IFR or NPRM, the implementation of CMMC 2.0 will be effective anytime between May 2023 and mid-to-late 2024.
That is a wide window. However, do not wait. In either case, the clock is ticking. Under either situation, it is not expected that there will be earth-shattering changes in the current CMMC 2.0 Model. It should not drastically change a DoD contractor’s trajectory for CMMC compliance preparation. Stacy Bostjanick recently stated in regard to this issue, “Don’t wait to get in compliance as of right now DCMA can come calling the check so what are you waiting for.”
This is a very accurate statement. The Defense Contract Management Agency (DCMA) has been known to have the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct independent assessments (see DFARS 252.204.7020 below) on DoD contractors.
Minimum Regulatory Requirements Before CMMC Certification
The Interim Final Rule, which was made effective in November 2020, is still alive. The IFR lays out the requirements for DoD contractors to adequately protect controlled unclassified information (CUI). Based on the IFR, all DoD contractors that store, process, or transmit CUI must meet the following:
- FAR 52.204-21: “Basic Safeguarding” Cybersecurity Requirements for Federal Contractors” – 15 Security Controls
- DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
- DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
- DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC
At a minimum, small to medium businesses (SMBs) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).
Do Not Wait to Prepare for CMMC Certification
Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. CMMC certification cannot be achieved without meeting the prerequisites as established in the IFR. Additionally, the CMMC Ecosystem will be stretched and could be a mad rush to the finish line once the implementation of CMMC 2.0 is official with language included in DoD solicitations.
Start the journey now, if you have not already started, beginning with the DFARS clauses. Doing nothing is not a plan; it’s risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.
Ignoring key strategies for protecting CUI is a poor decision that will increase the overall cost, but most importantly, it will fail to deliver resilient capabilities to the warfighter.
For more information on how we can answer any of your questions or assist you on the journey to FAR, DFARS, CUI, or CMMC readiness, please visit our website at: www.securestrux.com
Tony Buenger (CCISO, CISSP, CISM, CGEIT)
CMMC Provisional Assessor (PA), CMMC Provisional Instructor (PI),
Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA)
Director, Governance, Risk, and Compliance