The regulatory landscape is constantly changing to the extent many organizations are finding it hard to keep up. However, achieving and maintaining compliance is critical for holding on to lucrative contracts, as well as expanding into new markets. For organizations working with the Department of Defense, the uncertainties around achieving the desired compliance level of the cybersecurity maturity model certification (CMMC) is one of the biggest challenges.
Related reading: What is the Cybersecurity Maturity Model Certification |
The CMMC regulations are still a work in progress, but DoD contractors need to keep one step ahead if they’re to maintain their vendor relationships. Also, contrary to widespread belief, CMMC is still very much on track, despite disruptions caused by the ongoing pandemic. Organizations should focus on three main priorities – achieving DFARS compliance, finishing their plans of action and milestones, and preparing to meet the requirements for the desired CMMC level.
Preparing for third-party assessment
The most critical element of CMMC regulations is the need for third-party assessments. Every DoD contractor will need an assessment before they can receive a certification demonstrating their ability to meet a specific maturity level. However, the CMMC Accreditation Body, which is currently run by a board of volunteers working independently of the DoD, is still very much a nascent organization. Training for the first assessors only started in the end of August, so it will be some time before obtaining a third-party assessment becomes a legal necessity.
What the first round of assessments will do, however, is leverage provisional assessors to test the process. These mock assessments won’t come with any certifications. However, all DoD contracts will still need to meet CMMC requirements by 2025. That may sound a long way off, but there’s also little doubt that the first assessment rounds will be in especially high demand. There are, after all, more than 300,000 organizations which make up the DoD supply chain. The expectation is that official audits won’t be carried out until the CMMC regulations are finalized.
The DFARS rule update for CMMC
In August, the acquisitions office proposed an amendment to the DFARS 252.204-7012 rule, which pertains to the disclosure of controlled unclassified information (CUI). This refers to the contract rule which currently demands a high level of cybersecurity maturity and applies to the majority of DoD contractors. The amendment is expected to replace the 110 controls defined in the NIST SP 800-171 standard with the 1- to 5-level approach of the CMMC.
If and when this amendment is approved, it will usher in the official introduction of the CMMC requirement, and will apply to all DoD contractors. Release of the amendment for public review is almost imminent. Following release, it’s expected that there will be a 60-day period during which feedback is collected and incorporated and any updates to the CMMC rules and regulations applied. It will then be published in its final form before going into effect 30 days afterwards. There is still a high chance that this will happen before the end of the year.
What about possible delays caused by COVID-19?
The rollout of CMMC regulations have been inevitably delayed due to the ongoing pandemic. While this slight delay gave contractractors a little more time to prepare, there’s still some concerns about massive backlogs potentially slowing the audit and certification process since it will involve on-site visits. The NDIA, however, has stated that CMMC remains one of their highest priorities.
What actions does your organization need to take now?
As DoD contractors await with bated breath for updates and timescales for CMMC compliance, there’s a lot to be uncertain about. However, now is also a great opportunity to familiarize your team with the technical requirements of CMMC and decide which certification level you want to achieve for your organization. For the most lucrative DoD contracts, a CMMC level 4 certification or greater is necessary.
While it’s impossible as yet to know exactly what the final requirements will be, the underlying foundations are already well-established. Now is the time to start evaluating your cybersecurity practices and procedures, as well as identify any gaps in the details. By obtaining full visibility into your technology infrastructure, you’ll be better positioned to navigate the final process and meet the requirements that future assessors will be looking for.
If you already have an advanced and adaptable cybersecurity infrastructure in place that leverages ongoing employee training and innovative technology solutions, there isn’t much to worry about when it comes to getting a CMMC certification. That’s why Charles IT is on hand to help you prepare for the uncertain future regulatory landscape and achieve the desired level of CMMC compliance well in advance of it becoming a legal requirement. Contact us today to find out how we can help.