Updated Projected Timeline for CMMC: What this Means for Contractors and How to Prepare for Certification
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for Department of Defense (DoD) acquisitions, aimed at securing the Defense Industrial Base (DIB) supply chain. This standard was updated in 2021 and is now considered “CMMC 2.0.” Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7021, or the “CMMC Clause,” is currently under review. While the status could change, the latest information on completion of the final Federal rulemaking is expected in 2023, and contractors are likely looking at September 2023 as the earliest date the CMMC rule would become final.
What Is the Current State of the Final CMMC Rule?
The rule is expected to move out of the DoD and over to the Pentagon by end of March 2023. Once it moves over to the Pentagon, the Office of Information and Regulatory Affairs (OIRA) is expected to review and publish the rule by May 2023, but this is an aggressive timeline. OIRA will have 90 days to review and publish the final rule, but OIRA is allowed to extend that 90-day window in 30-day increments. Using the March 2023 to May 2023 timeframe, an initial draft rule would then be expected by July 2023, at the earliest. Then there is a 60-day public comment period. All comments must be addressed and answered before the rule becomes final. With the above timeline, contractors are likely looking at September 2023 as the earliest date the CMMC rule would become final.
Note that the final rule doesn’t have an interim status and we do not expect an interim status to be applied to the rule. One of the reasons for this is that Congress has been asking a number of questions regarding the cost of compliance for contractors. Therefore, it’s unlikely from what we’re hearing that interim status will be applied to the rule.
Is Contractor Compliance With CMMC an Allowable Cost?
There has been guidance and communication from the government that CMMC-related costs will be treated as ‘allowable’ costs and are recoverable by Federal contractors. Contractors should work to budget and cost CMMC-related expenses accurately and capture them appropriately in the correct rate pool. Costs should be allocated to costs similar in nature and applied to cost objectives to be reimbursed for CMMC compliance.
What Should Contractors Do Now To Prepare for CMMC?
Preparation is the key to success. Companies should begin to prepare for a CMMC assessment now by identifying gaps and implementing solutions to remediate gaps to achieve the appropriate CMMC Level.
There are three main areas companies should focus on to ready for a CMMC assessment.
The first is to identify the correct level of certification. A company needs to identify which level of CMMC it requires. A lot of companies think they need to be at Level 2 when, in fact, they only require Level 1, which saves considerable time and money. Companies should look at their contracts, talk to their prime and subcontractors, and work out exactly which level is sufficient for their business needs.
The second step is to identify and document the assessment scope based on the CMMC Level 1 or 2 Scoping Guidance. The scope should clearly define the system boundaries and asset categorization, including any out-of-scope assets. As the scope increases, so does the level of assessment risk for a company. A key step is to correctly identify and include only the areas of operations which are absolutely necessary to the business when it contracts with the government.
The third step is to complete a gap analysis against the CMMC Level 1 or 2 Assessment Guide. The gap analysis serves as a mock assessment, in that it will identify gaps that the company will need to remediate prior to an assessment. Recommendations would be provided so that companies can adequately remediate identified gaps. Also, a gap analysis will help companies successfully ready themselves by identifying key team member roles and responsibilities, and what will be considered as adequate evidence requirements by the assessor. This can be done by reviewing the employees who will be classed as the control owners and then actually testing the control requirements ahead of time, whether it is a documented policy or procedure or an automated control.
Readiness is key to success and preparing for a CMMC will take longer than many businesses realize. It’s essential that they undertake the whole cycle with real rigor. This isn’t a process where most organizations can see a contract hit the streets, and quickly prepare and obtain the necessary certification in order to potentially be awarded within 30 to 60 days.
Companies may underestimate the time and resources required to prepare. Best estimates are that the majority of companies should allow six months of preparation time — accepting there will be a spectrum. Some businesses will be more mature because of where they’ve operated and what they’ve done previously in adjacent areas of compliance, while others will have done nothing and are starting from scratch. Many organizations will be in the middle, with some areas of maturity but having not yet ventured down this specific certification path.
Cherry Bekaert is authorized by the Cyber AB as a CMMC Third-Party Assessment Organization (C3PAO). As an authorized C3PAO, Cherry Bekaert assists DoD contractors seeking a CMMC assessment with CMMC readiness and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Joint Surveillance Voluntary Level 2 assessments in partnership with the DIBCAC. Having undergone Level 2 assessment as a Firm, Cherry Bekaert has a deep understanding of the assessment process to guide DoD contractors seeking a CMMC assessment.
Catch up on Cherry’s Bekaert’s previous guidance pertaining to CMMC 2.0:
- Podcast: Final CMMC Rule: March 2023 Update
- Podcast: CMMC 2.0 – Where Does It Stand?
- Podcast: What’s New with CMMC 2.0?: August 2022 Update
- Podcast: CMMC 2.0 Brings Major Program Changes
- On-Demand Webinar: CMMC 2.0 Brings Major Program Changes