At its core, CMMC is comprised of the same 110 controls that lie at the core of NIST 800-171. The only difference between CMMC and NIST 800-171 is that CMMC will require a third party assessment conducted by an independent C3PAO (CMMC Third-Party Assessor Organization).
Defense contractors handling controlled unclassified information (CUI) have been required to meet NIST 800-171 since 2017. Thus the question here isn’t when defense contractors will need to meet CMMC standards – they’ve been required to for the past five years. The only piece still up in the air is when strict enforcement will begin.
The Department of Defense has made clear that the CMMC Rule is imminent and defense contractors need to work towards meeting compliance. Here’s what Matt Travis (CEO of Cyber-AB) said at PreVeil’s Virtual CMMC Summit on November 1, 2023:
Current State of CMMC
The CMMC is currently with the OMB’s (Office of Management and Budget’s) Office of Information and Regulatory Affairs (OIRA) and will soon be released for public comment. After that, CMMC will be published in the Federal Register. Travis expects this to happen by November 21. From there, a 60 day public comment period will begin.
During this comment period, the public will have an opportunity to make suggestions, ask questions, and request clarification about CMMC. “I implore you all to get engaged,” Travis said, noting that CMMC will apply throughout the public sector and possibly even reach into the private sector.
When will CMMC be in Contracts?
CMMC is expected to be included in contracts by mid- to late-2024. However, this does not mean that companies should wait until 2024 to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements, ahead of the rule.
Defense contractors who are not yet meeting all 110 NIST 800-171 controls should prioritize bringing their cybersecurity up to standard immediately.
Preparing for CMMC Level 2
Given that CMMC will be in contracts in 2024, you need to get started on your compliance preparations as it takes 12-18 months for the average defense contractor to get assessment ready. Doing nothing is not an option. “If you do not get CMMC Certification, you will not be able to win DoD contracts. I cannot emphasize that enough,” said Travis.
The CMMC timeline below illustrates the path a contractor might follow to meet all 1100 NIST 800-171 controls by the time CMMC is finalized. There are a few important takeaways from this image that will help you in your compliance journey. (Read our blog on the CMMC Compliance Checklist to get the full listing that will help organize your company’s compliance efforts.)
First, while the timeline shows a typical timeframe needed for each task, the time and effort needed to achieve compliance will be different for every defense contractor. Variables include your baseline cybersecurity maturity level and the resources and prioritization you can assign to achieving compliance.
Second, protecting CUI is at the core of NIST and thus CMMC compliance. Moreover, it is not enough to simply protect your CUI, you also must provide adequate documentation to be able to prove that you’re compliant. CMMC assessments will be conducted by C3PAOs at levels 2 and 3. These C3PAOs will require your System Security Plan (SSP) to show how you are meeting each assessment objective as well as providing sufficient evidence and support to demonstrate that you are meeting the assessment objectives.
Make sure you are taking steps to address the POA&Ms and specifying the technologies and procedures you will need in order to close those gaps. C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for a small number of the lowest scoring practices. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.
Lastly, Once you’ve identified the unmet controls, you must take the outlined actions to meet those controls. POA&Ms are strictly time bound and will expire within 180 days after you have your C3PAO assessment. A POA&M must document all proposed actions to remediate deficiencies and the respective timeframe for doing so. The POA&M should detail the progress of corrective actions as they are carried out and thus be updated regularly. It is critical that organizations prioritize closing any security gaps.
Note that while your organization doesn’t have to achieve the highest possible assessment score by mid-2024, it should be on the cusp of doing so by then. According to the current letter of the law, NIST 800-171A, you are already responsible for meeting all of the security standards included in CMMC. If you are not yet fulfilling this obligation, the time to act is now.
The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and keep CUI out of the hands of our country’s adversaries. By getting started on your organization’s compliance journey you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.
PreVeil offers this CMMC 2.0 assessment timeline to help you figure out how best to achieve those goals. To learn more:
- Schedule a free 15-minute consultation with our compliance experts to answer your questions about NIST SP 800-171 and CMMC 2.0
Read PreVeil’s briefs: