CMMC Is Coming! If You’re Not Preparing for It Yet, It’s Time to Get Moving
Here’s where CMMC stands and a guide to determining when your organization will be impacted, and some things you should be doing right now.
The Office of Management and Budget (OMB) rang in the new year with the publication of the Department of Defense (“DoD”)’s long-awaited Cybersecurity Maturity Model Certification (“CMMC”) rule in the Federal Register, but what does this mean for your organization? When will CMMC requirements begin to impact you? When do you need to be ready by? The answer is different for most organizations depending on your sales methods (short/long term contracts, purchase orders, etc.) and will be driven by the DoD’s proposed phased rollout, which was detailed in the publication of the CMMC Proposed Rule,” and is explained below.
Earlier this year, we published guidance on preparing your budget for CMMC compliance. In this article, we’ll review the current state of the CMMC regulation’s progress, the updated proposal for the DoD’s phased rollout plan, and the estimated timeline before the rule comes into force. These are all factors that impact exactly when your organization needs to be ready, and we’ll review what you should be doing now to prepare for CMMC (if you haven’t done so already).
The CMMC Proposed Rule was released. Where does it stand now, and what’s next?
On December 26, 2023, the DoD’s proposed Cybersecurity Maturity Model Certification (CMMC) rule was published in the Federal Register, a critical step towards finalizing the rule and beginning the process for its implementation. The proposed CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.
When will CMMC impact your organization? It depends (on many things…). You’ve got some homework to do in order to formulate an informed guess at when the “when” is for your organization, but we’ll get to that later. First, let’s discuss where CMMC is at now, and how the CMMC rollout information released in December impacts the timeline for when you’ll need to be ready…
The DoD submitted the proposed CMMC rule to the OMB on July 26, 2023, for regulatory review. After completing its review, OMB published the proposed CMMC rule in the Federal Register on December 26, 2023, as a “Proposed Rule” as opposed to an “Interim Final Rule.” The “Proposed Rule” approach requires a 60-day public comment period and review and consideration/adjudication of the comments received, before the DoD can begin to implement the rule.
The DoD initiated the public comment period following the publication of the “Proposed Rule,” and concluded it near the end of February 2024. Once the public comment period ended, the DoD began to adjudicate and respond to the comments received – a process which is estimated to take somewhere between 280 and 333 days, based on the DoD’s past response times, before the DoD publishes a final rule and can begin phasing CMMC into its contract requirements.
Additionally, during this time, the National Institute of Standards and Technology (“NIST”) released revision 3 of its 800-171 framework. However, we have learned that CMMC will continue to align with the NIST 800-171 rev2 framework throughout the initial CMMC rollout and implementation. This means there is no need to focus on updating your organization’s controls implementation to align with the NIST 800-171 rev3’s new or updated control requirements at this time, although it is expected that a future version of CMMC will adopt revision 3 of the NIST 800-171 framework. For now, your organization should remain focused on implementing, or remediating gaps in your NIST 800-171 rev2 controls implementation.
Based on all of this, the CMMC final may be expected to be released between December 2024 and February 2025, at which point, implementation of CMMC’s phased rollout will begin.
What will the CMMC implementation look like?
The DoD included an estimated timeline for the phased implementation of the program as a part of the CMMC Proposed Rule. It is comprised of four phases, occurring over a period of two and a half years:
Phase 1: CMMC Level 1 & 2 Self-Assessments and Some CMMC Level 2 Certification Requirements
Duration: 6 Months
Detail: Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments will become a condition for contract award. Contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for contract award. The DoD may also include third-party CMMC Level 2 certification requirements in certain contracts, at its discretion.
Phase 2: Additional CMMC Level 2 & Some Level 3 Certification Requirements
Duration: 1 Year
Detail: Phase 2 begins six months after Phase 1 begins. During Phase 2, the DoD will add CMMC Level 2 certification requirements to be eligible for all applicable contract awards. Contractors will need to pass a third-party Level 2 CMMC assessment to be eligible for contracts with Level 2 CMMC requirements. During this phase, the DoD may also begin to release some contracts with Level 3 certification requirements, at its discretion.
Phase 3: CMMC Level 2 Certifications Required for Contract Options on Contracts Finalized Prior to CMMC Final Rule and Level 3 Certification Requirements
Duration: 1 Year
Detail: Phase 3 begins one year after Phase 2 begins. During Phase 3, the DoD will extend the CMMC Level 2 certification requirement to applicable contracts that were awarded prior to the implementation of the CMMC rule. The DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment (assuming the CMMC Level 2 requirements are applicable to the contract). Additionally, DoD will now begin to include CMMC Level 3 certification assessment requirements to all applicable contract awards.
Phase 4: Full Implementation. All CMMC Program Requirements will now appear in all applicable DoD Solicitations and Contracts and Options on Existing Contracts
Duration: Ongoing
Detail: Phase 4 begins one year after Phase 3 begins and will mark the full implementation of the CMMC program. During Phase 4, DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts including options on existing contracts.
Expectations Summary
Based on the progress to date, milestones achieved with the OMB regulatory review, CMMC Rule publication, completion of the comment period, and CMMC implementation plan detail from the CMMC Proposed Rule, these are our expectations:
- 2024 Q4/2025 Q1 – CMMC Final Rule Publication, CMMC Implementation Begins.
- 2024 Q4/2025 Q1 – CMMC language begins to appear in contracts, requiring Level 1 and Level 2. Self-Assessments.
- 2024 Q4/2025 Q1 – Some contracts may include third-party CMMC Level 2 certification requirements, at the discretion of the DoD.
- 2025 Q2/Q3 – CMMC Level 2 certification requirements included in all applicable contract awards.
- 2025 Q2/Q3 – Some CMMC Level 3 certification requirements begin, at the discretion of the DoD.
- 2026 Q2/Q3 – CMMC Certifications Required in new Contracts and for exercising contract Options for contracts Finalized Prior to CMMC Final Rule.
- 2026 Q2/Q3 – CMMC Level 3 certifications requirements included in all applicable contract awards.
- 2027 Q2/Q3 – CMMC Full Implementation – CMMC requirements appear in all DoD solicitations and contract Options.
Other Considerations
- 6+ months – Estimated wait time to schedule a CMMC Assessment with a Certified Third-Party Assessment Organization (“C3PAO”)
Which of the above dates applies to your organization?
This is where you have some homework to do, if you haven’t already. In order to determine which of these implement phases your organization will begin to be impacted, you need to know a few key things, including:
1. What kind of data does your organization receive, create, process, or transmit?
2. How does your organization sell its products and services?
- If your organization sells to the DoD via contracts, do any of your contracts include Contract Options Periods?
What kind of data does your organization receive, create, process, or transmit?
Whether you perform this activity internally or engage a Registered Provider Organization (“RPO”) to assist, you need to map our data flows and understand how data flows into, throughout, and out of your organization. You need to understand the nature of that data – is it marked as Controlled Unclassified Information (“CUI”), or does constitute CUI – based on the National Archives CUI Registry, and/or does the information your organization is handling constitute Federal Contract Information (“FCI”)?
Once you’ve analyzed your data, you’ll be able to make key determinations, including:
- Is my organization subject to CMMC?
- What CMMC Level is my organization subject to?
How does your organization sell its products/services?
Why does this matter – it’s all about the data, right? Yes, but also critical to when you’ll start to receive CMMC language in contracts is determined by understanding how your organization engages with the DoD and prime contractors. If your organization works primarily off of purchase orders or small, short-term contracts, you should plan to be prepared sooner rather than later, based on the date estimates provided earlier. However, if your organization works on larger/longer-term contracts, and contracts with extension options, you have a little more breathing room – as CMMC will only be appearing in new contracts initially and won’t impact your existing contract extension options until Phase 3, estimated in mid-2026.
This is a critical change to previous guidance, which indicated that contract options would not be impacted unless a major revision to the contract was performed, but we now know that the DoD will be proactively inserting CMMC language into contracts at the time of exercising contract options on Contracts Finalized Prior to CMMC Final Rule, starting in Phase 3, estimated to occur in mid-2026.
Therefore, you should be working with your business operations teams to understand if your organization works off of purchase orders, what DoD contracts you have in place, when they expire, if they have contract extension options attached to them, etc. You will then be able to develop an estimate of how many contracts you’ll have that remain in-force as is through the CMMC implementation, without CMMC language, which contracts will be impacted at time of contract extension, and how many new contracts on average, you plan to bid on during the CMMC implementation period. You can then make a risk-based decision on the amount of revenue you may be at risk of losing, if you’re not ready for CMMC immediately as implementation begins, and how much revenue is at risk, based on when you believe you have CMMC requirements implemented.
What should you be doing now?
- First of all, if you haven’t started already, begin implementing NIST 800-171 rev2’s 110 controls – either broadly across your organization, or on the specific systems, services, locations, and staff designated for handling data used to fulfill CMMC contracts (if you’ve already determined or defined which people, processes, and technology will comprise your CMMC scope). As the CEO of the Cyber AB said:
“There is ‘you must implement the standards’ and there is a conformity regime being set up to validate that you’ve done that. You don’t need to wait on that second half to get going on that first half,” – Matthew Travis (CEO, Cyber-AB)
2. Understand your business processes, including sales and legal methods and processes.
3. Assess your data – understand if and where your organization is handling CUI and FCI.
4. Determine your CMMC Level.
5. Determine your CMMC Scope – people, processes, technology, and locations.
6. Plan a target date for your CMMC Assessment and begin to identify prospective C3PAOs.
7. Identify your organization’s stakeholders and formalize a CMMC Steering Committee.
Once you’ve determined the dates when your organization must be certified by, to avoid unacceptable business interruption and revenue loss – work with your organization’s relevant stakeholders and leadership to gain consensus on your CMMC compliance plan and certification timing. Knowing that there is a limited number of C3PAOs and there may be a backlog of assessments being scheduled –which could push your assessment out 6 months or more, begin to identify and establish relationships with C3PAOs. Work with the C3PAO you’ve identified to determine if their availability will align with your certification timing requirements.
You now know how much time you have to prepare for CMMC and need to begin putting plans in place to identify any CMMC gaps, and to remediate those gaps ahead of the C3PAO assessment. Even though the final CMMC rule will not be finalized until late 2024 or early 2025, you shouldn’t wait to begin defining your scope and implementing NIST 800-171’s 110 controls – that work can begin immediately.
How can ivision help?
Whether you’re just getting started, already on your way towards CMMC compliance, or just need a second set of eyes on your CMMC planning and implementation, ivision can help you on your CMMC journey. As a Registered Provider Organization (“RPO”), ivision’s team of CMMC Registered Practitioners (“RP”), and CMMC Certified Professionals (“CCP”) are trained and ready to work with your team to accelerate your progress and provide the CMMC planning, governance development, and implementation guidance your organization needs.
ivision has helped DIB contractors ranging from multi-billion-dollar manufacturers to small to mid-sized businesses working towards CMMC compliance. ivision has helped clients with:
1. CMMC Assessment and Planning
- CMMC analysis and scoping
- Performing CMMC Gap Assessments
- CMMC Compliance and Remediation Roadmap Planning
- CMMC Governance development
- Steering Committee Planning and Development
- Policy Development
2. CMMC Program Management
3. NIST 800-171 Program Building/Solution Design and Implementation
- Network Segmentation Strategy Design, Governance, and Planning
- Cyber Risk Management Program Development
- Baseline Configuration Management Program Development
- Incident Management/Response Program Development
- Training and Awareness Program Development
- Media Protection Program Development
- Data Security Strategy and Governance
- System Development Lifecycle Program Development
- Physical Security Program Development
- Application Control Program Development
- Personnel Security Program Development
- Asset Management Program Development
- CMMC Maintenance Planning and Program Development
- Vulnerability Management Program Development
- Multifactor Authentication Program Development
- Security Information and Event Management and Log Management Program Development
- Identity and Access Management Program Development and Implementation
- Backup and Recovery Program Development
- Active Direction Analysis and Remediation
- Microsoft 365 Strategy, Planning, Analysis and Remediation
5. Mock Audits and Pre-Assessment Assistance
Whether you need help defining your CMMC scope, performing a pre-assessment and development of a Plan of Action and Milestones (POA&M), developing your CMMC governance collateral, managing your CMMC program, evaluating, selecting, and implementing security solutions, or building NIST 800-171/CMMC compliant security capabilities, ivision is ready to help you on your CMMC journey. Contact us today to get started.
