Late in December 2023, the Department of Defense released its much-anticipated draft rule for CMMC. We are at the end of the 60-day period for interested parties to submit comments back to the DoD. An additional 90-day period will follow, allowing the DoD to adjudicate and respond to all comments and issue the final rule. The DoD has the option to extend the comment period beyond February 26, 2024, but has indicated they are not going to do so.
In other words, after three years, we are actually in the home stretch.
While there have been some surprises in the draft rule, most of it is what we expected to see. Unfortunately, there was no inclusion of the recently released NIST SP 800-171, rev. 3. Therefore, the overall structure of assessments, organizations involved, and scoring remains the same. Additionally, the DoD codified a 180-day Plan of Action & Milestones period for organizations to complete requirements. The POAM period assumes an organization has previously met a minimum of 80% of all requirements, and that no unmet requirements are 5-point (or a few select 1-point) preconditions. Companies should be especially precise preparing for these key controls.
The most-asked question so far: How much longer do we have?
According to the DoD, the rule is expected to take effect later this year, with contracts first appearing in early 2025. If you start preparing now, you should have just enough time to get ready for your assessment – assuming you diligently undertake the task. On average, we have found that it takes clients 12-18 months to be fully ready for their assessment.
Why so much time? Unlike with a technical problem to solve, a new product to install or a revised process to implement, readying for an assessment requires an organizational shift in policy, strategy and budget. If your company has never allocated a specific cybersecurity budget, you need to. Now. There is no piece of software or off-the-shelf product you can acquire to “make you qualified” – there’s serious work to be done.
Timing – A Phased Approach
Once the DoD file rule is entered in the Federal Register, a CMMC revision to DFARS 252.204–7021 will also take place. This in turn triggers the CMMC contract clauses, which will be effective on a day to be determined by the DoD. For our discussion, let’s call it “CMMC-Day.”
Phase 1 – CMMC-Day
Three very important conditions exist as of CMMC-Day, each of which could have a significant impact on your company’s ability to work – or continue working – with the DoD:
You read that right. On day one, some Level 2 certifications will be needed! No Certification = No Contract.
Phase 2 – CMMC-Day +6 months
The DoD intends to require Level 2 certification requirements for all awards. At its discretion, the DoD may allow a grace period to allow companies under certain circumstances to achieve Level 2 certification after the initial contract award, but before an option is exercised to extend the contract. Furthermore, the DoD may begin requiring a Level 3 certification for contract awards.
Phase 3 – CMMC-Day +18 months
Fully-implemented Level 2 assessments will be required for all contract awards as well as for exercising the options of existing contracts. Additionally, Level 3 certifications will be required for all contract awards, but as with Phase 2, a grace period may be available to become certified before the contract option is exercised.
Phase 4 – CMMC-Day +30 months
The DoD will require full implementation (Levels 1, 2 & 3) for all contract awards.
What does all this mean?
If you have a contract with the DoD or a sub-contract with a Prime contractor, you will be required to have a CMMC Level 1 and Level 2 self-assessment completed within the year.
Many of you already know this. However, if your company has been procrastinating, playing the wait-and-see game, or hoping somehow the problem will “simply go away”…your time is up.
Compounding the challenge, we expect a crush of contractors attempting to get their Level 2 Assessments completed later this year and into next year. If you haven’t begun the process, get moving now or get left out in the cold.
Where to start.
Complete a self-assessment using our custom application, Monarch’s Security Catapult. The tool is free for Level 1 self-assessments.
Security Catapult walks you through a guided assessment designed to determine how well you adhere to the 17 practices required for CMMC Level 1 compliance. We’ve distilled the complex language into “plain English” so you can fully understand what’s being asked of your organization. We recommend that you be deliberately hard on yourself when answering questions – think about how you will demonstrate your compliance before clicking that “Yes” option.
At the end of this process, Security Catapult will cover every angle an Assessor will take to validate your organization’s compliance. As a bonus, Security Catapult will create custom System Security Plans and Policy templates for you in real time as you work through the tool.
Still too much?
Don’t worry. Just call us. We’ll help walk you through it.