For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, Nov. 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for the performance of DoD contracts.
Implementation suffered a delay in 2021 when the DoD announced it was suspending the current iteration of CMMC in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with the DoD. In its place, the DoD announced intentions to promote CMMC 2.0, which would reduce the certification model from five levels to three, remove additional controls under the initial program, and rely primarily on those set forth in NIST 800-171. All contractors required to meet level one — foundational, with 10 required cybersecurity practices and annual self-assessments — would be able to self-attest to the satisfaction of associated requirements. Level two — advanced, with 110 required practices aligned with NIST 800-171 — would take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors would be able to self-attest to satisfaction. Level three — expert, with at least 110 required practices aligned with NIST 800-171 — would be subject to heightened requirements relating to the sensitivity of information transmitted under the contracts.
But ever since the DoD’s 2021 announcement, government contractors have largely been left in the dark about how and when CMMC will take effect and what impact its implementation may have on business. As we look ahead to the remainder of 2023 and 2024, here is where the CMMC currently stands.
Rulemaking Publication and Timeline
The DoD has been delayed more than seven months in sending the completed rule package to the Office of Management and Budget (OMB) for evaluation. The DoD had predicted that the rulemaking process could take up to 24 months to complete, but the additional delay suggests continued disagreement within the DoD as to implementation. Complicating the process is that in addition to a draft 32 CFR rule, the DoD will also need to send a 48 CFR rule to support the implementation of CMMC through contractual requirements.
Following transmission to OMB, the draft rules will need to be evaluated and approved by OMB, which would then allow the DoD to publish the regulations as an “interim final” rule to become effective 60 days after publication. Alternatively, OMB could approve the CMMC regulations as a “proposed rule” and allow for a comment period of up to one year preceding the final rule’s effective date. Currently, the Fall 2022 Unified Agenda shows CMMC regulations in the “proposed rule” stage, with a notice of proposed rulemaking to be published in May 2023. That timeline, however, is of course subject to change as an interim final rule could speed up the calendar.
The timeline could also change because the 2022 National Defense Authorization Act (NDAA) required the clarification of the definition of Controlled Unclassified Information (CUI). This is important because the definition of CUI dictates contractor and government obligations under CMMC and various DOD regulations.1 The clarification should be provided sometime in 2023. Additionally, an update to NIST SP 800-171 is expected in 2023. The CUI definition and the NIST update will impact both CMMC and the current Defense Federal Acquisition Regulatory Supplement (DFARS) clauses at 252.204-7012, 252.204-7019 and 252.204-7020.
To be clear, since 2017, defense contractors have been required to follow cybersecurity standards. CMMC adds a verification requirement to that baseline mandate. During the publication of the original CMMC, the DoD announced that the “certification” in CMMC would be conducted by CMMC Third-Party Assessment Organizations (C3PAOs), which would be authorized by the Cyber Accreditation Body. Yet, as the wait continues for a finalized rule, defense contractors have been left hanging with respect to whether their contracts will permit self-assessment or require assessment by a C3PAO. At this time, thirty-five organizations have been approved by the Cyber Accreditation Body to serve as C3PAOs. Several hundred additional organizations are currently being trained and evaluated, but depending upon when CMMC takes effect, demand for accreditation could sharply exceed supply.
What To Do During the Wait
Even though it is unknown which contracts will be covered by CMMC, contractors —whether prime contractors or subcontractors — should continue to prepare for the implementation of the program. The requirements to institute the controls under NIST 800-171 have largely been required for defense contracts for a number of years now, and even if there are material changes to the CMMC program, the requirements for handling CUI are not expected to change. The only thing that really changes with CMMC going forward, is that compliance will be assessed and accredited.
So, if a security framework is not up to standards, now is the time to start working towards alignment. If the company is aligned to NIST 800-171, follow through on annual assessments and start identifying potential C3PAOs that are either currently accredited or in the process of accreditation. Do not wait until the publication of the CMMC to get started. Even an ounce of preparation can make a major difference through 2023 and 2024.
1In late spring 2023, it is likely that the DoD will propose a rule which expands its cyber-incident information sharing program for classified programs to those contractors who “process, store, develop, or transit” CUI from DoD.