The Department of Defense recently provided clarification on the timeline for implementing its Cybersecurity Maturity Model (CMMC) certification program. The DoD now plans to complete documentation for submission to the Office of Management and Budget for its rulemaking process by July 2022. And it plans to issue draft final rules by March 2023. If the DoD Sticking to this new timeline, CMMC requirements could start appearing in government procurement tenders as early as May 2023 (60 days after the rules are published).
The DoD plans to deploy the CMMC requirements in tenders as part of a “phased approach.” During the first phase, when the CMMC requirement begins to appear in tenders, all offerors will be required to complete a self-assessment and provide a positive affirmation of compliance. This contrasts with having third-party certification, which will eventually be required for some contractors under the CMMC. In the second phase, solicitations will require either self-assessments or third-party certifications. The approach required depends on the type of information involved and the level of certification required. The schedule for phase two remains to be determined.
The DoD has also confirmed that third-party CMMC certification will be valid for three years after certification is issued (although not required until Phase 2, contractors may choose to obtain certification sooner), but contractors will be required to provide an annual affirmation confirming compliance. Third-party certification is for those associated with critical programs and contracts involving information critical to national security. Self-assessments required for contractors that do not handle national security critical information will need to be performed on an annual basis. The assessment should be accompanied by an associated affirmation by a senior company official.
Putting it into practice: It seems the time has finally come for DoD contractors and suppliers to prepare their information systems for a CMMC assessment, if they haven’t already done so. Now is the time for DoD contractors to consider (1) comprehensive self-assessments, (2) appropriate corrective actions, and (3) updating all reported cybersecurity scores to ensure that ‘they reflect the current situation of the system.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.