If you are a contractor or subcontractor working with the Department of Defense (DoD), you’ve probably heard of the Cybersecurity Maturity Model Certification (CMMC). The CMMC initiative aims to enhance the cybersecurity posture of the Defense Industrial Base (DIB) by requiring all contractors to meet certain standards and practices based on the type and sensitivity of the information they handle.
CMMC has undergone several changes and delays since it was first announced in June 2019. However, recent updates point to the impending final rule coming as soon as Q1 2025. This blog post will take you through the latest information from the DoD and the Cyber-AB, as well as how you can prepare for CMMC certification and compliance.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was conceived out of the Department of Defense’s (DoD) recognition of the critical importance of cybersecurity within the defense supply chain. The DoD initiated efforts to create a comprehensive cybersecurity framework that would establish specific standards for defense contractors. This framework aims to provide a consistent and measurable standard for cybersecurity maturity, ultimately safeguarding sensitive information, enhancing national security, and mitigating cyber threats. In essence, CMMC is an assessment program designed to hold contractors accountable and ensure the implementation of minimum cybersecurity standards.
The Role of NIST 800-171 in CMMC
At the core of CMMC lies the NIST 800-171 framework, which serves as the foundation for its assessment criteria. Cybersecurity maturity under CMMC is based on a combination of NIST 800-171 controls and additional requirements to communicate and demonstrate readiness to the Department of Defense.
NIST 800-171 is a set of security requirements that have been in use by the US government since the Obama administration. These requirements are meticulously mapped to the US government’s cybersecurity controls in NIST 800-53, providing a standardized and uniform set of requirements for the storage, transmission, or processing of Controlled Unclassified Information (CUI) by non-government organizations.
NIST 800-171 Revision 3 – Major Changes
In the realm of cybersecurity, change is constant, and NIST 800-171 is no exception. The latest revision, NIST 800-171 rev3 Draft, brings significant changes that organizations must take seriously. The scope has expanded from 14 to 17 domains, and the total security requirements have increased from 110 to 138. Among the list of changes, noteworthy alterations include shifting cryptography requirements away from mandating the use of Federal Information Processing Standards (FIPS), allowing companies to implement Organizationally Defined Parameters (ODP) solutions based on their own risk assessments. New Supply Chain Risk Management requirements mandate that organizations establish a third-party risk management program. Under these requirements, external service providers like Managed Service Providers must adhere to organizational security requirements and for organizations to establish a monitoring function to assess external service provider compliance.
The Current Timeline
The Current Status of the CMMC Rulemaking Process
While the update to NIST 800-171 isn’t part of establishing the CMMC requirement, it is a significant piece of the CMMC puzzle. Because CMMC level 2 requires compliance with NIST 800-171, the R3 update means that organizations will need to meet the new 800-171 standards. As of now, NIST has issued a call for comments on NIST 800-171 rev 3. This draft, along with comments, can be accessed for review here. If your organization hasn’t started preparing for the changes in Rev 3, be aware that there is a substantial amount of work ahead.
As for the CMMC program itself, the rule-making process has commenced with the submission of Title 32 CFR to the Office of Management and Budget (OMB) for review. While there has been speculation about this timeline, the DoD has remained consistent in its projection that the rule will become final in the fiscal year 2025, as indicated back in 2019.
The next phase after rule submission is the publication of the rule itself, which can take two forms:
Interim Final Rule: The rule is released as an interim final rule, immediately becoming active and a requirement in contracts.
Proposed Final Rule: The rule is released as a proposed rule, with an additional 60-day comment period for the general public. The rule cannot become final until all comments have been addressed.
Two Possible Scenarios
Proposed Final Rule
In this scenario, the proposed rule will be available for comment in October of this year. After the proposed rule, there will be a comment period, and the DoD must respond to those comments, historically taking about a year to complete. If the ruling comes out in October as projected, we can anticipate a Final Rule implementation sometime in the first quarter of 2025, aligning with the DoD’s initial 2019 timeline. While 2025 may seem far away, given the requirements to implement 800-171 R3 and be ready for an assessment, the timeline is shorter than one might think.
Interim Final Rule
In this scenario, the final rule is deemed ready to be placed into contracts immediately upon ruling. While there is still a comment period, the DoD is not required to address all comments before finalizing the rule. For most, this may seem like a long shot due to the rule’s complexity.
Note that regardless of the timing of the final rule, compliance with NIST 800-171 rev2 is already mandated by DFARS 252.204.7012. While contractors are permitted to self-attest, the DoD is requiring the assessment of contractor readiness through the recording of a score in the Supplier Performance Risk System (SPRS). RFPs are already including things like minimum score requirements or stating that the score will be a selection criterion. False Claims Act cases can be brought by the government against organizations that are reporting SPRS scores that are not backed up by evidence.
The Current Assessment Timeline
The path to certification is a critical aspect of CMMC. The Joint Surveillance Voluntary Assessment Program (JSVAP) is a pioneering initiative designed to bolster the cybersecurity defenses of defense contractors. Under the JSVAP, defense contractors voluntarily undergo cybersecurity assessments based on these rigorous standards. Authorized by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the JSVAP is a collaborative effort between CMMC-accredited third-party assessment organizations (C3PAOs) and the DIBCAC itself.
Alignment with the current NIST 800-171 rev2 is necessary to achieve an 88 or better in a DIBCAC High assessment which can lead to reciprocity in CMMC Level 2 certification. This certification award begins on the day the rule is deemed final and continues through a three-year lifecycle. The JSVAP program will no longer be valid once either CMMC program or NIST 800-171 rev3 releases the FINAL rule. The CMMC certification will be evaluated on additional criteria not included in NIST 800-171 rev 2. As the program matures so must your security.
It’s important to note that for the calendar year of 2023, DIBCAC does not have slots available for new applicants. Companies that are prepared or nearly ready should consider applying for available slots, as opportunities may open up due to companies dropping out or changing their plans during the waiting process.
Where You Fit in this Timeline
As the CMMC timeline unfolds, it’s essential to assess where your organization stands:
- Average time to implement r2: Currently, it takes the average company roughly 12 to 18 months to prepare for the CMMC Level 2 Assessment.
- Time to implement r3 additional 27 requirements: The current rule-making process is based on NIST 800-171 rev 2, and changes will inevitably occur with the release of rev3. This is not a short-term change; NIST 800-171 rev 3 will take time to finalize, with an estimated transition phase of up to 12 months in addition to the rule-making process.
- The reorganization of security requirements will necessitate adjustments in your cybersecurity program to align with the new structure. This may require a significant investment in manpower and time to ensure compliance with the standard. Time is running out to prepare for this change.
- There are approximately 50 Certified Third-Party Assessment Organizations (C3PAOs) in the mix today. Scheduling an assessment with a C3PAO may prove to be one of the most challenging aspects of the assessment process. It’s imperative to initiate contact with a C3PAO today to secure your assessment slot.
How Ardalyst Can Help
As the CMMC timeline unfolds and the cybersecurity landscape continues to shift, it’s crucial to have a trusted partner by your side. Ardalyst’s Tesseract Managed Cybersecurity Program was built to help small and midsized businesses implement a comprehensive program to comply with regulatory requirements and improve their cybersecurity posture without the expensive price tag of most cybersecurity solutions on the market.
Don’t wait until the clock runs out. Take action today to secure your organization’s future.
- Get your free risk assessment. Meet the requirements for RA.L2-3.11.1 and lay the foundation for your comprehensive cybersecurity program.
- Start your free Tesseract trial. Not only receive your free risk assessment but gain a free:
- Preview of your System Security Plan (SSP) & Plan of Actions and Milestones (POAM)
- An overview of the Tesseract Managed Cybersecurity Program and your path to getting & staying compliant
- A technical design of your Tesseract program enclave
- Exclusive deals on additional tools like Microsoft 365.