Update 2/204: After a 60-day public comment period ending on February 26th, 2024, the CMMC proposed rule has been sent back to the hands of rule makers to make necessary changes and respond to comments made.
The Cybersecurity Maturity Model Certification (CMMC) has been a common talking point amongst contractors working within the Defense Industrial Base (DIB) and Department of Defense (DoD). Confusion surrounding what it entails, who it applies to, and when it will take effect have been prevalent since its first iteration in 2020. Since then CMMC has moved into its second version, consolidating the previous five levels into three. Now that the DoD has submitted their plan to the OMB, many organizations are asking themselves what they should do to prepare.
Originally announced in 2020, CMMC has been delayed several times as the DoD has made changes and tweaked its implementation plan. In 2021 CMMC was given its second version that consolidated the five levels of maturity into three.
Since then, news surrounding when the CMMC rule would be sent to the OMB has been scarce. As of July 25th 2023, the Department of Defense submitted the proposed rule for the CMMC program to the Office of Management and Budget (OMB) and Office of Information and Regulatory Affairs (OIRA). This marks a big step forward in getting CMMC firmly planted as a compliance standard for thousands of organizations. From here, the OMB has 60-90 days to complete their review of the proposed rule.
Assuming it isn't sent back to the DoD for revision, the CMMC rule will be added to the federal register. Once published in the federal register the OMB can either publish CMMC as a proposed rule or as an interim final rule. If the OMB decides to publish a CMMC proposed rule, there will be a 60 day public comment period before the OMB and DoD can begin to implement CMMC into contracts. Alternatively, the OMB could publish a CMMC final interim rule which would allow the OMB and DoD to implement CMMC into contract during the public comment period.
Either way, CMMC isn't going anywhere and will continue to impact contractors sooner rather than later.
Contractors are taking two different approaches to handling CMMC compliance. Many are choosing to "wait and see" how and when the CMMC rule is published. Depending on a companies current security configuration CMMC compliance can take time to prepare for and prove costly. This is why many contractors are waiting to make the big business decisions until the OMB decides to publish the rule.
Other organizations have chosen to proactively continue implementing their CMMC plans and having third-party assessments done to ensure that when CMMC is applicable, they are ahead of the curve. CorpInfoTech suggests taking the latter approach.
The maturity levels of CMMC are built off of the NIST 800-171 framework and contain foundational security controls that your organization will be assessed on to determine your SPRS score. CorpInfoTech can conduct a comprehensive security assessment to determine whether or not your business will be compliant come audit time. This assessment can give you a better understanding of what your SPRS score will look like as well as give businesses an actionable plan for how to fix any gaps in their security. When it comes to compliance, being proactive is always the smartest choice.
Reach out today to CorpInfoTech for a security assessment and be proactive for CMMC.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.