DoD Contractors Want to Know What the Hubbub is All About

While the title of this article makes a bold statement, in full transparency, we cannot assert that we can make complete sense of CMMC, nor can we with certainty provide concise information on the status of rulemaking; we can provide you with the latest information as we know it (as of January 18, 2023).

The CMMC implementation goalposts may be changing again due to a delay in the federal rule-making process, basically coming down to accepting the Interim Final Rule (IFR) that became effective in November 2020 and implementing CMMC 2.0 sooner rather than later, which means an effective date relatively close to the May 2023 target publishing as a notification of proposed rulemaking (NPRM) requiring a full round of comments and delaying CMMC 2.0 implementation for at least another year, which means an effective date sometime in mid-to-late 2024.

A comment period would be required under NPRM, whereby that process takes an average of a year for completion. Under the IFR in 2020, it can be argued that there was a comment period, and thus, would be able to implement CMMC 2.0 sooner, possibly staying close to the original implementation date of May 2023.

The norm is to publish as an NPRM with the required comment period. However, the DoD feels it can make a compelling argument to go the IFR route and keep the current timeline relatively intact.

According to Stacy Bostjanick of the DoD Chief Information Office, “We aren’t dead yet. It’s only a flesh wound! We may still be able to get an interim rule if we have a really compelling argument!”

While this is being debated, in the meantime, DoD contractors must maintain their course.

How Does this Change the Timeline for DoD Contractors

For the past year, many DoD contractors, known as Organizations Seeking Certification (OSC) in CMMC vernacular, have been using May 2023 as a target point for their CMMC readiness strategy and may wonder if their efforts have been wasted or if they should wait. Depending on the decision, whether IFR or NPRM, the implementation of CMMC 2.0 will be effective anytime between May 2023 and mid-to-late 2024.

That is a wide window. However, do not wait. In either case, the clock is ticking. Under either situation, it is not expected that there will be earth-shattering changes in the current CMMC 2.0 Model. It should not drastically change a DoD contractor’s trajectory for CMMC compliance preparation.

Stacy Bostjanick recently stated in regard to this issue, “Don’t wait to get in compliance as of right now DCMA can come calling the check so what are you waiting for.”

This is a very accurate statement. The Defense Contract Management Agency (DCMA) has been known to have the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct independent assessments (see DFARS 252.204.7020 below) on DoD contractors.

Minimum Regulatory Requirements Before CMMC Certification

The Interim Final Rule, which was made effective in November 2020, is still alive. The IFR lays out the requirements for DoD contractors to adequately protect controlled unclassified information (CUI). Based on the IFR, all DoD contractors that store, process, or transmit CUI must meet the following:

  1. FAR 52.204-21: “Basic Safeguarding” Cybersecurity Requirements for Federal Contractors” – 15 Security Controls
  2. DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
  3. DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
  4. DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC

At a minimum, small to medium businesses (SMBs) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).

CMMC Readiness: Do Not Wait to Prepare for Certification

Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. CMMC certification cannot be achieved without meeting the prerequisites as established in the IFR. Additionally, the CMMC Ecosystem will be stretched and could be a mad rush to the finish line once the implementation of CMMC 2.0 is official with language included in DoD solicitations.

Start the journey now, if you have not already started, beginning with the DFARS clauses. Doing nothing is not a plan; it’s risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.

The Bottom Line for Federal Contractors

Ignoring key strategies for protecting CUI is a poor decision that will increase the overall cost, but most importantly, it will fail to deliver resilient capabilities to the warfighter.

For more information on how we can answer any of your questions or assist you on the journey to FAR, DFARS, CUI, or CMMC readiness, please contact us.

Tony Buenger

Tony Buenger

CCISO, CISSP, CISM, CGEIT
Director, Governance, Risk, and Compliance

Tony Buenger is skilled and dedicated security and governance professional with decades of experience in the Department of Defense (DoD) cybersecurity consulting, planning and implementation. Tony is a retired Lieutenant Colonel with the U.S. Air Force with 22 years of service and spent 15 of those years working in the Pentagon and other DoD agencies to help modernize security infrastructure and systems. This work includes converting the USAF from DIACAP compliance to a more modern risk-based approach based on NIST and the Risk Management Framework (RMF).

The latest in Cybersecurity

Enter your email to get the latest news, updates,
and content on cybersecurity.

"*" indicates required fields