CMMC Is Closer Than You Think
C3 Integrated Solutions has been tracking the progress of Cybersecurity Maturity Model Certification (CMMC) for over a year, from its pre-release status through the release of CMMC 1.02 and its continued evolution as the nation grapples with the effects of COVID-19. Although the original go, no-go deadline was to be September 2020, there has not been a significant delay even despite the pandemic. CMMC will continue to roll out, and in an effort to keep our community abreast of the latest news, we’ll continue to monitor and report on the information we’re hearing.
Recently, the Maryland Innovation and Security Institute (MISI), an organization founded to help companies accelerate the discovery of viable cybersecurity and related technologies, held another National Listening Session to update the defense community on the progress of the CMMC rollout. As always, the panel was first-rate and the information was excellent. Here are our takeaway from that session as well as several additional data points:
The CMMC Rollout is on Track
COVID-19 may have slowed the rollout of CMMC slightly, but IT professionals should not expect any major delays. In May, Katie Arrington, Chief Information Security Officer for Acquisition at the Department of Defense (DoD) announced that defense contractors should expect to see new CMMC version 1.0 requirements in requests for proposals released in November 2020. As we have said from the beginning, CMMC is closer than you think, and it remains in the defense industry’s collective short-term future. The panel was clear that CMMC is moving forward and will remain very close to the original timeline.
CMMC Language in Contracts
Central to the rollout is the revision to DFARS 252.204-7012. This update will embed CMMC requirements in future DoD contracts and contractually obligate any contractors working with the DoD to meet the requirements. As soon as those revisions are finalized and released, CMMC will be implemented into ALL DoD contracts moving forward.
DFARS 252.204-7012 Update is Almost Ready
Katie Arrington also reported that the DFARS 252.204-7012 update is going through an interagency review and is almost ready for public comment. Once it is released for public comment, the final release will be a little more than 60 days out. For those of you watching when CMMC becomes official, this is the key driver. Arrington stated, “You will not see the CMMC in any DoD contracts or RFPs until the rule change is completed.”
STARS III Includes CMMC Language
As detailed by our friend Charlie Tupitza at SBDC, the GSA contract solicitation for STARS III includes language reserving the right to amend the contract to add CMMC language. Government contractors take note: this is a clear vote of confidence that CMMC will be for more than just the DoD. Among the comments are that, “it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification.” Additionally, the solicitation states, “STARS III Order competitions may be restricted by designation of an applicable CMMC level and/or ISO certification, such as, but not limited to, ISO/IEC 27010:2015, ISO/IEC 20243, ISO/IEC 27000, ISO/IEC 27036 and ISO 9001:2015.”
CMMC Audit Requirements Are a Work in Process
The CMMC Accreditation Body only expects to be able to deliver provisional certifications before the DFARS 252.204-7012 rule is finalized in case there are any changes. As such, provisional assessments are underway to validate the approach. Once the DFARS 252.204-7012 rule is finalized, the flood gates will open. This part will be interesting.
What We’re Seeing
The industry’s response to CMMC has been incredible. Over the last six months, we’ve seen an impressive level of activity around CMMC. Here’s our perspective:
- Contractors are racing to prepare for eventual audits by securing their systems, writing policies and implementing controls to the best of their ability.
- There is a massive gap between the controls that are published and any guidance as to what is acceptable, or not acceptable to meet them.
- The bottleneck that will be created to get contractors approved once CMMC goes into contracts is going to be as messy as everyone expects.
- The majority of companies we talk to are preparing for Level 3, partially because they expect it to be a requirement of their primes.
How to Get Started
If you are just getting started with CMMC, there are generally two directions you can go. If you have an ISO Certification or have made reasonable investments in cybersecurity, you could probably hire a compliance expert for a baseline assessment and development of a POAM.
If you have historically under-invested in cybersecurity, then you should start with a technology review and ground-up approach. There’s no sense doing an assessment if you already know you’re only going to 20% compliant. C3 Integrated Solutions can help develop a technology strategy to upgrade your systems and put you in a position to be successful during an audit.
To learn more about how C3 Integrated Solutions can help you become CMMC compliant, contact us.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.