CMMC State of Play: May 2022
Updated: May 15
Some recent timelines and clarifications issued by the DOD have brought the looming CMMC deadline into clearer focus. In a nutshell: Winter is Coming. If you haven’t started getting your Cyber House in order and you want to do business with the DOD, it’s time to get hopping.
LESS THAN A YEAR
The Office of the DOD Chief Information Officer’s lead on all things CMMC, Stacy Bostjanick has indicated the that planned release of the updated “interim rule” to implement its Cybersecurity Maturity Model Certification 2.0 program is May 2023. In case that didn’t wake you up, she has also indicated that initial CMMC requirements will be showing up in DOD contracts 60 days after the rule publication.
The DOD intends to implement the changes in the CMMC 2.0 framework through the rulemaking process in both Title 32 CFR to establish CMMC 2.0 program requirements and Title 48 CFR to make any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.
During a panel at a Cybersecurity panel in early May Bostjanick said that the DOD Anticipation is that we will be allowed to have another Interim Rule like last time. We're hoping the interim rule will go into effect by May.
Bostjanick indicated that The Pentagon expects CMMC requirements to show up first in RFI that will provide details on what maturity level is needed that will precede an RFP.
She indicated that there would be an intended interim period where the companies could be assessed ahead of the CMMC rule going into effect and the eventuality of a three-year certification that goes into effect when a contract is awarded. Assessments as early as Summer 2022 might be available for those first companies ready to undergo assessment.
POAMS and Innovations
CMMC 2.0 allows for companies to have a plan of action and milestones as well as the possibility of waivers in the face of equivalent safety levels. These two items aren’t licenses to delay, however. The allowable items on a POAM are limited to lower-level security practices. Critical controls such as MFA and limited Admin privileged will not be permitted to be placed on a POAM. Additionally, obtaining waivers will not be a mundane procedure, and will require Executive level approval. It is critical to note that both of these stop-gaps are anticipated to be limited to a 180 day timeline.
The New and Accelerated Timeline
In short, if you were relying on the initial CMMC deadlines of October 2025 to give you a little wiggle room, you need to be aware those dates have now changed. The new proposed effective date that CMMC will begin impacting DOD contracts has been moved up to May 2023.
If you’re starting from scratch, you now have less than a year’s time to implement a LOT of security practices and controls. Get started now. If you need help getting started, seek some expert help.
You can always call us.principia/RAID can help.