If you’re searching around for the latest updates from the Cybersecurity Maturity Model Certification (CMMC) world, you’ve come to the right place. The day, July 24, 2023, became an important step in the CMMC process, as that’s when the Department of Defense (DoD) officially submitted the CMMC Program rule under 32 Code of Federal Regulations (CFR) and the Assessing Contractor Implementation of Cybersecurity Requirements rule under 48 CFR to the Office of Information and Regulatory Affairs (OIRA) under the Office of Management and Budget (OMB).
To some, that may not sound like a big deal. But to the world of Federal Government rulemaking, this one matters. A lot.
For starters, in order for CMMC to become an actual requirement in a Government contract, the rulemaking process is required to take place. Requirements can’t just show up in contracts because someone wants them to (which is good for everyone), but once proposed rules hit certain milestones, “time-clocks” for official publication begin.
CMMC Rulemaking Update
In the specific case for CMMC, the submission from DoD to OIRA means CMMC is going to happen. When might it happen? That depends on what happens next.
Here’s a quick summary of what the typical timeline of a rulemaking process looks like at this stage in the game:
- OIRA must review all rules that are submitted
- OIRA has a maximum of 90 days to review and make a decision on whether the submitted rule needs further revisions or can be sent further down the publication process in the Federal Register.
- A public comment period (usually 30-180 days) will begin after OIRA’s review and when the rule is published to the Federal Register.
- At this point, the rule will be published as either an “interim final rule” or a “proposed rule.” This directly impacts the “when” in the question: When will CMMC go into effect?
“When” Will CMMC Begin?
Now that OIRA is in the process of review, there are two outcomes that drastically change the “when” of CMMC:
- Outcome #1: An “interim final rule,” which means the rule can go into effect immediately (30 days after the decision), even before being published as a “final rule,” or it will go into effect by the date specified in the rule as the “effective date.” Although unlikely, if this were to happen, the requirement needs to be approved before showing up in select contracts. This has happened in recent DFARS history, specifically the DFARS Interim Rule (252.204-7019 & 7020 for example), due to the importance of the matter.
- Outcome #2: A “proposed rule,” which means the rule has to be opened for public comments, agency response, and OIRA review again. As far as how long that could take really depends on how many public comments are submitted. Past history averages show that this takes approximately 300 days. The “when” in this scenario lands somewhere around late Q1, 2025.
What Has Changed?
Now, you might be asking yourself, “so what changed, exactly?” The answer to that question is nothing. Today’s requirements of implementing NIST SP 800-171 in order to comply with DFARS 252.204-7012, 7019 and 7020, have not changed. If you currently have those clauses in your contracts, the DoD expects you to already be meeting those requirements if you receive, generate, process, store or transmit Covered Defense Information (CDI), Controlled Technical Data (CTI) or Controlled Unclassified Information (CUI).
Reminder: CMMC is a validation assessment by an authorized third party of today’s cybersecurity requirements. Nothing more, nothing less.
That means, if you’re an organization seeking certification (OSC) that currently has the DFARS 7012, 7019 and 7020, and are handling CDI, CTI or CUI, you should not be waiting until CMMC is “official” to get moving on your compliance program.
NIST SP 800-171 can’t be implemented overnight. If it was that easy, our adversaries would find their way into the Defense Supply Chain pretty easily. In fact, the whole purpose of NIST 800-171 is to increase the cybersecurity expectations of the Defense Industrial Base (DIB) from “foundational” to “advanced,” which is what CMMC Level 2 certifications will demonstrate.
Challenges Facing SMBs
When it comes to the challenges facing the small and medium businesses (SMBs) that make up the DIB, it always comes down to costs, resources and practicality. NIST SP 800-171 is a set of non-prescribed controls (requirements). That’s a good thing for OSCs, as it allows them to take the best path to compliance for their business. The most common approaches are:
- Do it yourself via in-house resources or leveraging an External Service Provider (ESP)
- Migrate to a GovCloud
- Isolate sensitive data (like CDI, CTI & CUI) into an enclave for only authorized individuals
The CMMC marketplace can be extremely difficult to navigate for any OSC. For example, how can you tell that any resource you engage with has the proper experience to help you achieve a continuous compliance program like NIST SP 800-171 & CMMC?
The number of CMMC services in the market has increased dramatically over the last couple of years, compared to what it looked like in 2017 when Beryllium InfoSec (the parent company of Cuick Trac) was formed years prior to the CMMC announcement. Make sure you do the proper due diligence when selecting resources to help you walk down the compliance path you choose.
What to Focus On
The biggest focus for any OSC is the scope of the data handled. Whether it’s Federal Contract Information (FCI) or CUI, your scope will shape the overall costs of both implementing NIST SP 800-171, and the costs of a CMMC third-party assessment by a C3PAO. Those are two separate costs OSCs need to budget for and manage properly.
We often see incorrect scoping mistakes when talking to OSCs for the first time. To define your assessment boundary for CMMC, you need to clearly understand the people, places and things that process, store or transmit CUI (if you do) and FCI. This is the difference between being required to self-attest to CMMC Level 1 or CMMC Level 2, or to obtain certification for CMMC Level 2, and that difference is drastic to an OSC’s bottom line.
Lastly, understanding your contracts is extremely important. To confidently say “yes” to questionnaires and solicitations from your customers, the contract requirements and language need to be properly understood. Knowing what resources need to be allocated to what responsibilities can be the difference between winning and losing a contract opportunity.
The Cuick Trac CUI enclave solution helps ensure you remain compliant with NIST 800-171 and CMMC. Through Cuick Trac, we will give you a Shared Responsibility Matrix detailing what objectives we’re responsible for fulfilling. Contact us today for a demo.