Since the revision of the CMMC cybersecurity requirement was announced last month, we have been analyzing and reporting on some of the changes in a series of blogs. So far we’ve covered a range of topics, including the context for the update, the impact on assessments, and changes to plans of action and milestones (POA&M). This blog will address what we currently know about how the DOD will address the rulemaking of this revision.
Timeline of Rulemaking Process
Much has been made of this change to the codifying of CMMC 2.0. The government has said that it will take nine to 24 months to review and complete the rulemaking requirements. Also, it is important to keep in mind that what has been presented and proposed could change. As the process unfolds, public comments will be solicited, which the government will then ingest, possibly resulting in changes to the proposed revision.
- If this process takes just nine months to complete, CMMC will arrive three years earlier than what had been planned with CMMC 1.0, which was scheduled to be effective in 2025.
- If it takes two years and becomes effective in 2023, it will still be here two years earlier than with the previous version.
It appears that people are misreading this severely. When in fact, the DOD has actually taken time off the clock and expedited the need to be compliant.
Suspension of Pilots and Certification is a Non-issue
Another change is that CMMC pilots and certification have been suspended. Which on the surface can seem sensational, but in reality it doesn’t appear to have much impact, as there really wasn’t much reporting or information shared that pilots ever really took off in any meaningful way.
In terms of the suspension of certification, the revision states that participation in CMMC is now voluntary. In fact, complying with CMMC 1.0 had always been voluntary. Zero companies have ever been certified.
It is our belief that the government is sending a message to say that companies wanting to do business with the DOD should focus on the foundational cybersecurity practices outlined in NIST 800-171.
What it Means to Your Business
Many of the proposed changes appear to actually speed up the compliance requirements of cybersecurity, and appear to be favorable for those who are for national security and for defense contractors having mandatory, verifiable cybersecurity minimums.
If you are a defense contractor, you should plan on meeting these cybersecurity minimums as laid out in NIST 800-171, including security incident and event management, vulnerability management, asset inventory, and more. The services and products that come together to get you to compliance have not changed.
Next Steps
If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.
Watch a recording of our webinar about CMMC 2.0 and learn more about how it might impact your business.