The Department of Defense’s CMMC program has taken a giant step ahead with the publication of the CMMC Proposed Rule on December 26th in the Federal Register . This begins a 60-day comment period, with the expectation that CMMC will begin to appear in contracts by late 2024 or early 2025. While the proposed rule is a long read, here are 5 key points from the CMMC rule publication:
- The wait is over. For those that have been holding out, unsure if CMMC will make it across the finish line, it is official! This is happening, and the DoD will be checking to see who is and who isn’t compliant. Failure to meet the necessary requirements could cost your firm dearly. At minimum, your firm could have your current contract revoked, and/or lose the ability to bid on new contracts that have CMMC requirements in the DFARS clause. In addition, you could be subject to the False Claims Act, the result of which can be fines and penalties up to 150% the cost of the contract.
- CMMC 2.0 and in particular CMMC 2.0 Level 2 is NOT its own standard. It is the certification of a company’s compliance to NIST 800-171 rev 2. NIST 800-171 has been in contracts since 2016. If you are on a current defense contract, you are likely already required to be compliant to NIST 800-171, and you have been self-attesting to compliance. The CMMC is simply a verification of what you should already be doing.
- There will be a backlog and you will be waiting to get certified. By current estimations, there are over 83,000 members of the Defense Industrial Base (DIB) that will require a level 2, third party assessment. As of the publication of the CMMC 2.0 rule, there are less than 50 Certified Third-Party Assessing Organizations (C3PAOs). There are not enough C3PAOs to get every Organization Seeking Certification (OSC) through the assessment process promptly at the start. Long waits will be inevitable, which could cause issues for companies attempting to get assessed before a contract renewal. Do not delay!
- CMMC is not just for direct Defense Contractors and members of the Defense Industrial Base. If you are a Managed Services Provider (MSP) that works with defense contractors, you must meet CMMC Level 2 if the same is required of your client. If you are an OSC, you must confirm that your MSP has achieved the CMMC for the same level or a higher level than your organization is subject to.
- JSVAP Assessment is available now. Currently, C3PAOs are not assessing organizations and the Level 2 Certification is not available. The Joint Surveillance Voluntary Assessment Program, or JSVAP, is the current pilot program for the CMMC assessment process. C3PAOs are assessing a small number of volunteer defense contractors, under the eye of the DIB Cybersecurity Assessment Center or DIBCAC. Once complete, the contractors that receive a perfect score are eligible to receive a CMMC Level 2 certification.
Where are YOU on your CMMC Journey?
CMMC will be finalized, and you will be required to meet its requirements. With the proposed rule moving forward, if you haven’t started getting prepared, you must start now! CMMC is not a straightforward checklist. The framework’s comprehensive nature means that a detailed understanding of the necessary controls and processes is needed, especially at medium or higher certification levels. Summit Business Technologies uses a security-first approach to compliance, saving you time, minimizing your risks, and reducing your costs. Contact us today to get more information.