CMMC 2.0 is Coming Ahead of Schedule

CMMC 2.0 rulemaking has drawn to a close earlier than expected, with the Department of Defense sending its proposed rules to the Congressional Budget Office earlier this month. This development occurred ahead of the expected timeline, putting CMMC on track for enforcement before the end of 2024.

For some time, companies that contract with the Federal Government have been watching to see when the regulations governing their cybersecurity will be updated. CMMC 2.0 will require third party assessments for any contractors dealing with controlled unclassified information (CUI). That means contractors will soon need to prepare for and schedule their assessments.

What does that mean for Federal Government contractors? It means the DoD is on target for the planned rollout of CMMC in Q1 2025.

The Process

Changing an entire regulatory framework at the federal level is a complex process. Two main rules will need to be updated: 32 CFR and 48 CFR. Currently, 32 CFR has reached its final phase before publication—review by OIRA, the Office of Information and Regulatory Affairs. Publication is likely to happen in the next month.

48 CFR hasn’t yet reached this point, but it’s simpler than 32 CFR and is expected to follow soon after it. This is the part that requires contractors to ensure the same standards are met for all their subcontractors.

Once CMMC 2.0 is in effect, third-party certifications will start right away in the first quarter of 2025. During the first six months, some contracts will accept a self-assessment that companies meet the level one or two CMMC requirements. But by the end of that six months, new and renewing contracts will require third-party assessments for most level two certifications.

The Problem for Contractors

The issue here is obvious: since third-party assessments don’t even begin till the rule change goes into effect, that doesn’t leave contractors a lot of time to get theirs. And there aren’t enough third-party assessment organizations to get everyone assessed quickly. There are a limited number of third-party assessors, and if you aren’t in line for assessment already, you may not be assessed in time.

Mission Compliant helps businesses identify the exact areas where compliance improvements need to be made so that contractors can prepare for their assessments. With a detailed list of steps to take, contractors can dive into their cybersecurity now so they can be assured of passing assessments as soon as CMMC goes into effect.

The Difference Between Compliance and Certification

Cybersecurity requirements aren’t new and aren’t in question. They’re spelled out in NIST 800-171, which all contractors are legally supposed to be following. Many companies dodn’t have expertise in the NIST 800-171 standard to identify areas where they out of compliance. Companies which haven’t been in compliance will first have to fix any problems in their cybersecurity—a process that takes some time.

Compliance to the standard has been the required in DFARS 252 for years, so there isn’t a question of having six months to comply—you have six months to prove that you are already complying, by means of a third-party assessment. If you’re out of compliance, you’ll be at risk immediately.

Consequences of Non-Compliance

Failing to handle sensitive data appropriately is serious, even in the private sector. While working for the Federal Government, it’s even more so. Failure to comply with the standards can result in lost contracts, canceled contracts, and in some cases prosecution.

In August, the Department of Justice filed suit against Georgia Tech for failing to meet cybersecurity standards. The university’s self-assessment claimed a higher cybersecurity score than it had actually earned, and the DOJ is arguing they knew the score was inaccurate. If true, the violation will have far-reaching effects for Georgia Tech.

Next Steps for Your Business

There are two crucial things every federal contractor should be doing right now, before CMMC 2.0 goes into effect. First, they need to analyze their own compliance gaps and plan remediation steps. Next, they need to find a certified third-party assessment organization and plan for their assessment as soon as possible.

Compliance has to come first. An assessment your company fails is worse than useless. So the first step is to have a gap analysis done, to discover any areas in which your company is out of compliance. Only then can you begin the steps to correct these gaps.

Mission Compliant can provide both gap analysis and a plan of action for bringing your company into compliance. Contact us today to ensure there will be time to make the necessary corrections before CMMC 2.0 goes into effect.

Compliance is Our Mission

Contact us today for an evaluation of your policies, procedures, and compliance requirements so you can rest easy. 

Click to access the login or register cheese