May 2023 CMMC Rulemaking: It’s Time to Get CMMC Certified

Rulemaking for the May 2023 CMMC (Cybersecurity Maturity Model Certification) is on track to start within the next few weeks.

Rather than moving ahead, becoming formally compliant with NIST 800-171/CMMC v2 Level 2, many U.S. DIB (defense industrial base) organizations are waiting to see how the rulemaking shifts requirements. 

However, if organizations currently have a gap in CMMC certification, they should not wait to fill it.

In this blog, we look at where we stand in the rulemaking process since last year’s review. We examine what the assessment procedures are, and explore why now is the right time for DIB organizations to get CMMC certified. 

Current CMMC certification requirements

The CMMC is the requirement for any company that bids on contracts with the U.S. DoD (Department of Defense). The current version of the CMMC is 2.0. The certification was developed to ensure that all DoD suppliers and contractors meet the required standards for cybersecurity. 

This initial level of security provides a necessary measure of protection for the defense supply chain, preventing cybersecurity breaches throughout contractor networks.

CMMC certifications protect sensitive government information and help the DoD measure and assess the security of new contractors, suppliers, and subcontractors. This is vital, especially considering that cyber attacks rose by 50% in 2022.

Cybersecurity standards have been mandated for defense contractors since 2017. Initially, defense contractors were able to self-assess whether they complied with NIST SP 800-171.

However, in late 2020, the DoD began requiring these self-assessment scores to be filed with the DoD SPRS (Supplier Performance Risk System). This extra verification requirement is what makes up the CMMC certification. 

Requirements for CMMC certification are likely to expand beyond DoD suppliers to encompass all suppliers for any state or federal entity. 

Assessment procedures for the CMMC 

To pass the CMMC verification process, defense contractors need to work with a CMMC C3PAO (third-party assessment organization) that has been authorized by the Cyber AB.

To date, 35 organizations have been approved as C3PAOs and hundreds more are currently going through training and evaluation procedures.

When the CMMC comes into full effect, we may find that the increased demand for accredited C3PAOs outpaces the current limited number of such organizations. 

In addition, there is uncertainty over whether defense contractors will still be able to submit self-assessments or whether they will need to be assessed by a C3PAO once the CMMC rulemaking is complete. 

The assessment process first requires contractors to identify the specific kind of government data that their organization deals with. That includes data they encounter directly, or indirectly via a business partner.

This information allows the contractor to identify which level of compliance is required, as determined by its interactions with FCI (federal contract information) or CUI (controlled unclassified information). 

Typically, these requirements are included in the original contract agreed between the DoD and the prime contractor (prime). Or, in the case of a subcontractor agreement, the contract will outline these requirements between the subcontractor organization and its prime. 

The organization must then undergo a gap analysis to determine where it may need to shore up cybersecurity.

The gap analysis is measured against existing cybersecurity requirements, such as NIST SP 800-171 and ISO 27001. Finally, the organization must plan to resolve any identified security gaps in its process maturity and practices.

Four reasons DIB organizations should get CMMC certified now

Although we don’t yet know which contracts the CMMC will cover, prospective contractors should continue to get ready for the widespread implementation of CMMC regulations. 

The controls and measures under NIST SP 800-171 have in most cases already been required for individual defense contracts for years. Even if the rulemaking session this month results in new requirements, the only real changes will be the way an organization’s compliance with the regulations is assessed and authorized. 

If you are a DIB organization, here are four reasons you should get CMMC certified now.

1. More preparation time

The ideal time frame to begin preparing for official accreditation would have been to start in March, and to continue preparing through April.

Although the ruling is expected imminently, it’s still not too late to start preparing. Even a small amount of preparation can make a big difference. 

Implementing cybersecurity machine learning processes, for example, can be a complex and lengthy process. It takes 28% of machine learning models up to 30 days for complete deployment. These adjustments will continue into next year, so preparing now is a smart move. 

2. Primes already requiring a self-assessment

Primes are already requesting that subcontractors provide self-reported scores that show NIST SP 800-171 compliance to the DoD SPRS database.

Primes require you to submit evidence that you have attained a score of close to 110, which indicates official compliance with the regulations. You will need to submit a copy of your SSP (system security plan) to primes and confirm your score to continue doing business with these organizations. 

3. Lower costs

The costs for implementing the necessary changes to pursue CMMC compliance are unlikely to get any lower than they are now.

Since many DIB organizations are waiting until the rulemaking before implementing compliance policies and updates, there are plenty of CMMC RPOs (registered provider organizations) as well as certified third-party assessment organizations that are available to help.

Organizations can expect to pay between $60 and $100 or more per hour for an experienced developer who can implement up-to-date security software that fulfills the standards set by the CMMC. As more organizations pursue compliance, costs are liable to rise.

4. Getting certified boosts your cybersecurity

Passing the CMMC regulations has added benefits, beyond ensuring that you can continue to contract with the DoD.

As certification requires stringent cybersecurity measures that are up to contemporary standards, fulfilling these requirements means that you will also be bolstering your organization’s internal cybersecurity.

If your organization does experience a cybersecurity breach, you will have to report it to the DoD directly, as stated in DFARS 252.204-7012 Clause C.  

Final thoughts

The ultimate aim of becoming CMMC compliant is not just to be able to attain contracts with the DoD. Ensuring that your organization meets CMMC standards also reduces your cybersecurity risks, and keeps CUI secure and protected against external threat actors. 

By starting today on your organization’s compliance preparations, you will be able to ensure that you are ready for the boost in federal enforcement of security requirements. Acting now will also save you money, and protect your organization’s assets and data.

IT Governance USA offers a range of solutions for organizations looking to achieve CMMC compliance or bolster their practices.

For more than 20 years, we’ve helped hundreds of organizations with our deep industry expertise and pragmatic approach.

Our CMMC Remediation Service is ideal for those hoping to address compliance gaps that they’ve identified.

We’ll help you close weaknesses in your practices, and produce an assessment report of how your organization fulfills the requirements of the 59 objectives for CMMC Level 1.

We also offer a service to help with Level 2 assessments, as our team of experts build your SSP (system security plan) into our templates, provide guidance on closing gaps and help you prepare for your CMMC Level 2 assessment.