The CMMC framework has officially been submitted for its 90-day review.
After being formally announced in September 2020, the Cybersecurity Maturity Model Certification framework is now coming to fruition.
Submission of the CMMC program by the DoD, to the OMB’s Office of Information and Regulatory Affairs (OIRA), was reported on by Defense Scoop in a July 25 article:
DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule…
While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.
So what does it all mean for small and medium businesses in the defense industrial base?
We’ll provide you with answers in this post. Here’s what you can expect to learn:
- A Quick Review Of CMMC 2.0
- What’s Next In 2023 And What To Expect In 2024
- The Recent Announcement And What It Means For Our Clients
- Actions You Need To Take (And When) To Prepare For The CMMC 2.0 Rollout
- What You Need To Do Next
So let’s start at the beginning.
A Quick Review Of CMMC 2.0
We did a full review of the history of CMMC 2.0 in a previous blog post. So let’s sum it up for review:
DoD did a 9+ month review of CMMC 1.0 from late 2020 well into 2021, without releasing any meaningful information. There was a fair amount of industry chatter about what was happening with the process, but nothing official.
This quiet period continued well into 2021, and nothing much new happened until November 4. That’s when the official release of CMMC 2.0 was officially announced.
Activity around CMMC 2.0 picked up significantly after the press release, in the form of DIB discussions, speculation, webinars, etc. The scuttlebutt continued throughout calendar year 2022.
So here we are in mid-2023, and the CMMC framework has officially been submitted to the OMB’s OIRA for a 90-day (or less) review.
Where do we go from here?
What’s Next In 2023 And What To Expect In 2024
The rulemaking process is underway, and we won’t know for sure where CMMC is headed for 90 days or so, as the DoD CIO points out:
But there are essentially two paths CMMC 2.0 can take when it’s published to the Federal Register. It can either be published as a proposed new rule or regulation or as an interim final rule. The first scenario would kick off a lengthy process that could take a year or more.
If it’s published as an interim final rule, which we feel is the more likely scenario, it would take effect as a final rule immediately and begin to roll out over the next 60 days.
We could start to see CMMC requirements in DoD contracts immediately as part of a phased rollout.
But how will it affect DIB contractors?
Regardless of what happens, we agree with Defense Scoop from the perspective that “CMMC is coming in the not-so-distant future.”
Preparing for CMMC 2.0 under the NIST 800-171 guidelines is a process that can take 12-18 months. So today is an excellent time to get started with an assessment of your security posture in the context of the CMMC/NIST guidelines.
The federal government is also pushing DoD contractors to the cloud, to take advantage of cybersecurity capabilities at scale and meet the stringent DoD data protection standards in CMMC 2.0.
If your infrastructure is not in the cloud yet, there’s no need to panic. But you will need to start making some technology decisions in the very near future.
So let’s figure out where you are currently with regard to cybersecurity, where you need to go, and what it will take to get there.
Regardless of where you’re at with your CMMC 2.0 cybersecurity preparedness, don’t be intimidated. We’re here to help.
Let’s start designing your compliance action plan together. And today is a great time to get started.
At SME, we have a team of experts with all the extensive experience, CMMC 2.0 knowledge, and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity.
We’re laser-focused on information security, so you don’t have to be.
Hopefully you’re feeling more confident already.
Call us at (703) 782-9140 to schedule Your Free CMMC 2.0 Cybersecurity Assessment Today!