While the title of this article makes a bold statement, in full transparency, we cannot assert that we can make complete sense of CMMC, nor can we with certainty provide concise information on the status of rulemaking; we can provide you with the latest information as we know it (as of January 18, 2023).
The CMMC implementation goalposts may be changing again due to a delay in the federal rule-making process, basically coming down to either:
- accepting the Interim Final Rule (IFR) that became effective in November 2020 and implementing CMMC 2.0 sooner rather than later, which means an effective date relatively close to the May 2023 target or
- publishing as a notification of proposed rulemaking (NPRM ) requiring a full round of comments and delaying CMMC 2.0 implementation for at least another year, which means an effective date sometime in mid-to-late 2024.
A comment period would be required under NPRM, whereby that process takes an average of a year for completion. Under the IFR in 2020, it can be argued that there was a comment period, and thus, would be able to implement CMMC 2.0 sooner, possibly staying close to the original implementation date of May 2023.
The norm is to publish as an NPRM with the required comment period. However, the DoD feels it can make a compelling argument to go the IFR route and keep the current timeline relatively intact. According to Stacy Bostjanick of the DoD Chief Information Office, “We aren’t dead yet. It’s only a flesh wound!!! We may still be able to get an interim rule if we have a really compelling argument!!!”
While this is being debated, in the meantime, DoD contractors must maintain their course.
How Does this Change the Timeline for DoD Contractors
For the past year, many DoD contractors, known as Organizations Seeking Certification (OSC) in CMMC vernacular, have been using May 2023 as a target point for their CMMC readiness strategy and may wonder if their efforts have been wasted or if they should wait. Depending on the decision, whether IFR or NPRM, the implementation of CMMC 2.0 will be effective anytime between May 2023 and mid-to-late 2024.
That is a wide window. However, do not wait. In either case, the clock is ticking. Under either situation, it is not expected that there will be earth-shattering changes in the current CMMC 2.0 Model. It should not drastically change a DoD contractor’s trajectory for CMMC compliance preparation. Stacy Bostjanick recently stated in regard to this issue, “Don’t wait to get in compliance as of right now DCMA can come calling the check so what are you waiting for.”
This is a very accurate statement. The Defense Contract Management Agency (DCMA) has been known to have the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct independent assessments (see DFARS 252.204.7020 below) on DoD contractors.
Minimum Regulatory Requirements Before CMMC Certification
The Interim Final Rule, which was made effective in November 2020, is still alive. The IFR lays out the requirements for DoD contractors to adequately protect controlled unclassified information (CUI). Based on the IFR, all DoD contractors that store, process, or transmit CUI must meet the following:
- FAR 52.204-21: “Basic Safeguarding” Cybersecurity Requirements for Federal Contractors” – 15 Security Controls
- DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
- DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
- DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC
At a minimum, small to medium businesses (SMBs) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).