The DFARS Interim Rules set the only known deadline for the Cybersecurity Maturity Model Certification program. The 7021 clause permits the Under Secretary of Defense for Acquisition and Sustainment to assign CMMC requirements on a contract.
In 2021 and 2022 the Department of Defense announced they will conduct a number of pathfinder awards and pilots that will utilize the CMMC requirements. These pilots would, chosen by the Undersecretary, would flow down the 7021 clause.
Almost all contractors do not need CMMC certification for many years. On the current, and ever shifing timeline, CMMC will not hit every contract until 2026. This gives small businesses and DoD suppliers and subcontractors 5 years to develop and implement their plans and achieve certification. Starting in 2026, all new DoD contracts will contain CMMC requirements that came to fruition starting in 2019.
In 2019 the first draft of the CMMC model was released after Development in coordination with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry input.
As the CMMC program launched the Department of Defense wanted to increase the speed of cybersecurity hygiene across the DIB and took the extraordinary step of passing TheDFARS Interim Rule, published in September and effective November 30, 2020. We wait for the published final rule.
In early 2021, after a new Administration sat in the Executive, the A&S CISO, a position held by Katie Arrington, who spearheaded the CMMC program was moved under the Deputy Assistant Secretary of Defense for Industrial Policy currently staffed by Ken Salazar. On May 18th Salazar testified in front of the cybersecurity subcommittee of the Senate Armed Services Committee, and laid out his three goals for CMMC:
Salazar went on to explain that his office will focus on cost, conflicting standards and reciprocity, and reinforcing trust in the ecosystem.
- To incorporate a unified set of cybersecurity requirements into acquisition processes and contracting language. Recognizing that cybersecurity should not be “one-size-fits-all ,” the program includes several levels of cyber requirements, that allow flexibility to apply requirements appropriate to the defined sensitivity level of information at issue.
- To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements. The certification framework also facilitates the Department’s ability to 5 hold prime contractors accountable for ensuring that their suppliers are, in fact,implementing appropriate cybersecurity requirements.
- To develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.
At this time few C3PAOs have been approved by the CMMC-AB and the Department of Defense. All C3PAOs require a level three assessment by Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). C3PAOs also need a security background check and must obtain an ISO certification. You can not get a CMMC certification yet as no C3PAO’s can perform assessments.
You can not yet take a class certified by the CMMC-AB that will qualify you for the CMMC exams The final objectives have yet to be approved by the Department of Defense. No certification nor class can exist without these objectives.
You can not get started utilizing the CMMC methodology. The Department of Defense has not released any scoping guidance. The CMMC-AB has kept the CMMC Assessment Process under NDA.
Do not mistake delays for demise. CMMC will not go anywhere. This is the process the Department of Defense will use for third party attestation of cyber hygiene using a framework of controls mainly derived from NIST SP-800-171.
While the timeline of CMMC shifts, and will continue to shift to right, you can get started on protecting your business. Focus on growing your Security Systems Plan (SSP), which details how you comply with the NIST SP 800-171 controls, and shrink your Plan of Objectives And Milestones (POA&M). As you do this, focus on developing policy. This approach will help you get ready for CMMC.