Catch Me Up: Where Are We With CMMC?

By now, unless you’ve been lucky enough to escape to a remote island for the last few years, you’ve heard of the Cybersecurity Maturity Model Certification, or CMMC. It’s a program, and standard assessment framework, developed by the Department of Defense (DoD) to provide security requirements addressing the ongoing nature of cyber threats. According to the DoD, it is “…designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.”

CMMC 1.0

The program was initially crafted in January 2020 as CMMC 1.0, with compliance standards issued as levels of security for vendors doing business with the DoD. Response to the rollout, however, was quite mixed. The first iteration contained five levels of compliance but seemed to lack an overall streamlined approach. Furthermore, the assessment procedures were also deemed by some as more arduous than necessary. As a result, the government implemented the feedback it received and subsequently released CMMC 2.0 guidance in 2021.

CMMC 2.0

CMMC 2.0 included three levels, as opposed to the initial five, and provided contractors the ability to assess themselves, instead of always needing a third-party for Level 1 certification. Along with the newer model came an interim rule and procedure timeline for finalizing the guidance into law. It was initially projected to be rolled out in March of 2023, with implementation into contracts beginning in May 2023.

As with so many rules and laws, however, delays took hold as the DoD refined its rulemaking process and review. Here we are in the summer of 2023 and we’ve since inched closer to implementation. While we aren’t to the finish line yet, the latest status is a step closer.

OIRA Review

Recently, the Office of Information and Regulatory Affairs (OIRA) received the latest CMMC framework from the DoD with up to a 90-day review period. It’s worth noting that 90 days is standard for any potential rule review, regardless of the subject matter. OIRA is part of the Office of Management and Budget (OMB) and will examine the CMMC framework prior to submitting it as a final rule. Once it reaches that step, contractors will need to comply with the new standards.

To that end, the DoD CIO explained, “The publication of materials relating to CMMC 2.0 reflect the department’s strategic intent with respect to the CMMC program. However, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.”

Summer 2023

And now, we wait. The government is continuing its progress, as are contractors as they prepare and develop their own plans toward compliance. While we don’t yet know the date that CMMC will just be part of the normal process, we do know it’s coming in the next year or two. So, consider yourself caught up to the latest developments and ready to see the next headline reading something like “DoD Implements CMMC: We’re Finally at the Finish Line!” by 2025.

Susanna Patten is a senior analyst on the TD SYNNEX Public Sector Market Insights team covering technology domain centric trends across the public sector.

Image by chenspec on pixabay.com

Leave a Comment

Leave a comment

Leave a Reply