The Department of Defense (DoD) is planning to release an Interim Rule on the CMMC framework by May 2023, according to Stacy Bostjanick, director of the CMMC (Cybersecurity Maturity Model Certification) program for the DoD. CMMC will be enacted on the day the Interim Rule is published, and CMMC requirements will start to appear in DoD contracts by July 2023, 60 days after the Interim Rule’s publication.
As of this writing in May 2022, that means defense contractors have little more than a year to become CMMC compliant.
Since 2017, contractors have been required to meet the 110 security controls of NIST SP 800-171, which the new CMMC Level 2 (Advanced) requirements will mirror. The National Institute of Technology and Standards (NIST) developed those security controls specifically to protect Controlled Unclassified Information (CUI).
For a few years defense contractors were permitted to just self-assess their compliance with NIST SP 800-171. But starting in late 2020 the DoD began to require not only that self-assessments be conducted, but also that the scores from those assessments be filed with the DoD’s Supplier Performance Risk System, known as SPRS.
If a defense contractor’s SPRS score falls below the highest possible NIST SP 800-171 score for their organization (out of a possible 110), they are required to create a POA&M (Plan of Action & Milestones) and indicate when non-implemented controls will become fully implemented. CMMC 2.0 will continue to permit the use of POA&Ms to show compliance. (More on this below.)
Further, unlike for NIST SP 800-171, self-assessments of CMMC 2.0 compliance will no longer be permissible other than at Level 1 and, perhaps, for some contractors at Level 2. Instead, outside assessment will be conducted by C3PAOs (Certified Third Party Assessment Organizations) for Level 2 contractors, and, most likely, by audit teams from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 3 (Expert) contractors.
Defense contractors that handle CUI must achieve at least CMMC Level 2 and prepare for their C3PAO assessment. The assessment timeline below will help your organization devise a plan of action and be ready for that assessment.
First, doing nothing is not an option. If your company is still at the very beginning of this timeline, the time for action is now.
You’ll see that the timeline starts in March and April 2022, which obviously are past us. But given the time it realistically takes to accomplish each of the steps in the timeline, and working back from May 2023, that’s ideally when those early tasks should have been accomplished. If your organization has not yet created a System Security Plan (SSP), conducted an initial self-assessment based on NIST SP 800-171’s 110 security controls, and developed a Plan of Actions & Milestones (POA&M), then it is time for you to urgently begin to tackle those tasks.
PreVeil’s CMMC Level 2 Assessment Timeline is based on PreVeil’s expert knowledge of DoD cybersecurity regulations and what it takes for contractors to achieve and document compliance with those regulations. The action items and the time allowed for them on the timeline reflect that expertise. Each defense contractor’s experience will vary in time and effort depending upon its overall cybersecurity maturity level, resource allocation, internal buy-in, and prioritization.
The timeline illustrates an ideal outcome: a contractor meeting all relevant controls of the 110 security controls required at CMMC Level 2 by May 2023, when the Interim Rule is published and CMMC is finalized.
If your company is still at the very beginning of this timeline, while the time for action is now, you may be able to take consolation on two fronts:
First, while the timeline shows typical timeframes needed for each task, the time and effort needed to achieve compliance will be different for every defense contractor. Variables include your baseline cybersecurity maturity level and the resources and prioritization you can assign to achieving compliance. It may be that your organization will need less time to achieve and demonstrate compliance, or that you are now able to commit more resources and energy than a typical contractor would and so can make up for lost time.
Second, under CMMC 2.0, it will be permissible to sign DoD contracts with a POA&M in place. That means that your organization needn’t achieve the highest assessment score possible by May 2023. But in case that lessens your sense of urgency, consider that CMMC 2.0 will bring critical changes to the reprieve that POA&Ms have historically offered. POA&Ms will most likely have time constraints. At this point, it seems that contractors will have 180 days to remediate security gaps identified in their POA&Ms, but that is subject to change during CMMC 2.0 Interim Rule making process.
Stacy Bostjanick also said recently that the DoD is expected to permit POA&Ms only for the lowest-risk security controls, i.e., those that are worth just one point in the DoD’s assessment scoring methodology. Fifty of the 110 security controls are worth one point. That leaves 60 controls that are worth either three or five points and must be met prior to a contractor’s CMMC Level 2 assessment. These 60 controls are both the most important for securing CUI and some of the most difficult to meet.
In short, while your organization doesn’t have to achieve the highest possible assessment score by May 2023, it should be on the cusp of doing so by then. Your business risk is too high to be far behind the timeline of your own organization’s compliance journey.
The goal is not just to be eligible to win defense contracts, but also to minimize business risk and keep CUI out of the hands of our country’s adversaries. By getting started on your organization’s compliance journey you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.
PreVeil offers this CMMC 2.0 assessment timeline to help you figure out how best to achieve those goals. To learn more:
Read PreVeil’s briefs: