Changes to the Implementation Timeline of CMMC
When the Office of Information and Regulatory Affairs (OIRA) released its Fall 2022 Unified Agenda in early January, the agency did not give the proposed Cybersecurity Maturity Model Certification (CMMC) rule interim status, as was expected. Had the interim or interim-final designation been applied, the rule would’ve been considered in force and incorporated into U.S. Department of Defense (DoD) contracts starting later in 2023.
Because the rule remains in proposed status, a public comment period will be established and those comments will be adjudicated in advance of seeing the final rule published. While there’s a possibility the status could change, full implementation of the CMMC rule as a mandatory requirement for contract award will most likely be delayed into early 2024.
However, the Joint Surveillance Assessment Program is still active with the Defense Contractor Management Agency (DCMA), and joint surveillance assessments with Certified Third Party Assessor Organizations (C3PAOs) will continue after first starting in the fall of last year. FORVIS performed one of the earliest joint surveillance assessments and has recently seen an increase in scheduled assessments in early 2023, indicating an acceleration of the joint surveillance program.
FORVIS is advising contractors not to consider CMMC delayed. It’s important to note that the established timeline for full implementation of the CMMC program by 2025 remains unchanged. DCMA also is still requiring contractors to complete a self-assessment against the NIST 800-171 security control framework as part of their contractor certification/representation. It’s still important to implement controlled unclassified information (CUI) protections and achieve compliance with NIST 800-171.
Why Should Contractors Consider Voluntary Assessment NOW?
Final rulemaking will determine how a Joint Surveillance Assessment may benefit a contractor, but there are many reasons why contractors should consider voluntary assessment now, including:
- Two Assessments in One. Joint surveillance assessments are concurrent assessments based upon NIST 800-171, performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and CMMC C3PAOs. A DIBCAC High Confidence Assessment is an assessment performed at DIBCAC’s discretion of any contractor in the defense supply chain. By undergoing a joint surveillance assessment, a contractor may avoid being surprised by an unexpected DIBCAC assessment notice later.
- Competitive Advantage. Undergoing a Joint Surveillance Assessment demonstrates a contractor’s commitment to both its federal defense customer(s) and the protection of sensitive CUI it handles on the government’s behalf. Demonstrating this early commitment can help make contractors more appealing in the marketplace.
- Be Prepared When CMMC Becomes a Requirement. When CMMC becomes a contract requirement, there’s expected to be a rush for certification assessment and a limited number of authorized assessment firms. Depending upon how the final CMMC rule is structured, getting in front of this potential bottleneck by having undergone an assessment with both DIBCAC and a C3PAO can better position a contractor to be ready to pursue full CMMC certification.
Established in 2019 and updated to version 2.0 in 2021, the CMMC is the DoD program for protecting CUI. The framework requires contractors to establish a minimum baseline of requirements for security CUI and maintain an effective cybersecurity governance program. Any organization that is party to a defense contract—as a prime or subcontractor—will be expected to achieve CMMC certification.
CMMC professionals at FORVIS closely follow the latest developments and can assist you as thought leaders in this space. If you have any questions or need assistance, please reach out to a professional at FORVIS or submit the Contact Us form below.