The Cybersecurity Maturity Model Certification (CMMC) has been in the works for several years at this point. First announced in 2019 by the Department of Defense (DoD), the CMMC model has been revised and tweaked over the years as it crawls to the ratification finish line. In July of 2023 CMMC was sent off to the Office of Management and Budget (OBM) and the Office of Information and Regulatory Affairs (OIRA) for regulatory review with a 90-day period to send the rule back or approve its publication in the federal register. This review period was then extended by 30 days. Finally, in the last days of 2023 we received an update on the status of the CMMC rule.
What's changed for CMMC?
After regulatory approval, the Department of Defense has officially published CMMC into the federal register as a proposed rule on December 26, 2023. Published under the name 32 CFR Part 170, CMMC 2.0 will undergo a public comment period of 30-60 days where the public is given the opportunity to express their concerns or approval of the rule. This public comment period will end on February 26th, 2024.
This document is 234 pages long and contains a comprehensive description of CMMC. Being published as a "proposed rule" means that an agency is intending for this rule to "address a problem or accomplish a goal" and seeks the publics input. The feedback received from this public comment period will inform how the "final rule" is structured.
How Should Businesses Respond?
Businesses that fall in scope of CMMC will need to take proactive action to the upcoming rule. Organizations seeking certification (OSC) should have already taken the steps to ensure they are CMMC compliant so that when the final rule is officially implemented, they can be confident in their ability to defend CUI. With thousands of organizations within scope of CMMC and only a limited number of auditors, it could take a considerable amount of time to successfully certify your business. This is why it is important to act now!
Corporate Information Technologies (CorpInfoTech) has been following the progression of the CMMC rule for the past several years. As the CMMC rule reaches completion, it's important to understand the importance of becoming and remaining compliant. Through CorpInfoTech's managed services, your organization can remain confident your data is protected and your organization compliant. Any MSP that works with DIB contractors must also be CMMC compliant regardless of the existence of CUI. CorpInfoTech is taking the steps to become CMMC certified as soon as the final rule releases and CMMC goes into effect.
"CorpInfoTech engages with external sources for validation to ensure our processes, procedures, and tools are valid and compliant. We have officially registered with Cyber AB as an OSC (Organization Seeking Certification) so that when the rule is finalized, we are ready." - Lawrence Cruciana, Founder and President of CorpInfoTech
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP), firewall management, and vulnerability management. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.