Cybersecurity Maturity Model Certification (CMMC) Momentum is Building

by | May 19, 2022

Executive Summary:

Cybersecurity Maturity Model Certification (CMMC) will be in all Department of Defense (DoD) contracts over two years earlier than originally scheduled based on recent statements by DoD officials.

 Why is this important?

Many companies in the Defense Industrial Base (DIB) have been waiting out CMMC by attempting to continue to ignore the cybersecurity requirements that have been in in their contracts since 2017.  They are effectively playing a game of chicken with the DoD.

 We can only lead a horse to water, we cannot make it drink but a good steward knows when it’s time to salt the oats. This is the picture SecuriThink has drawn to increase the urgency for our clients’ CMMC business case.

Read More:

What’s the big deal about CMMC?

The main clause in CMMC that gets attention is the introduction of third-party certification of compliance with cybersecurity requirements. This applies not only for prime contractors but for all tiers of the supply chain. There are different levels of requirements depending on the sensitivity of the data you handle but all companies that do business with the federal government have at least 17 cyber requirements in contracts now even without CMMC.

 Research indicates only 25% of the cyber requirements in existing contracts have been implemented so many organizations are at risk of losing DoD business if, as planned, certification of the entire bidding team becomes necessary before contracts are awarded.

    What’s the impact of recent news?

    There are two themes:

    • The CMMC schedule is accelerating, not being delayed
    • The CMMC infrastructure is being put in place to scale the effort to enforce the requirement

    The Schedule

    May 2023 is the most recent date now forecasted for CMMC to appear in all new contracts awarded or existing contracts amended by the DoD. That timing is two months earlier than the previous forecast of July which was 5 months earlier than the original timing announced for CMMC 2.0 which was December of 2023. Even that was well ahead of the date for CMMC 1.0 to be in all contracts which was October of 2025.

    The Infrastructure

    The CMMC-AB has been making to build infrastructure. The status includes:

    • Certified Third Party Assessment Organizations (C3PAOs) number 12 fully authorized as of May 19, 2022, 20 in the queue for 2022 and over 200 pending1
    • Provisional Instructors and Assessors number 200+ trained and ready to kickstart the program2
    • The first exam, that for the Certified CMMC Professional (CCP), is scheduled to be in beta release in August 2022 and publicly released in October3
    • Assessor applications filed with the CMMC-AB number several thousand4

    What’s needed?

    • If your organization is already working on compliance with existing requirements, then sharing this picture with stakeholders may help the medicine go down that much easier
    • If your organization is not compliant with existing requirements then show this picture to your business decision makers to gauge their appetite for keeping their existing DoD business or going after new contracts
    • Watch the SecuriThink Field Notes space for more posts on how we make the business case for cybersecurity to business asset owners

    Sources:

    1. CMMC-AB Marketplace and DIBCAC director
    2. CMMC-AB Curriculum manager
    3. CMMC-AB Town Hall meeting
    4. CMMC-AB Board Director
    5. Link to announcement May 9,2022: https://www.fedscoop.com/pentagon-updates-timeline-for-cmmc-cybersecurity-initiative/https://insidecybersecurity.com/share/13502