CMMC is Live!

Title 32 Executive Report

After numerous revisions, false starts, and the arduous rule-making process, CMMC is ready for primetime!

The 32 CFR 170 (The Cybersecurity Maturity Model Certification (CMMC) Program), published October 15th, becomes effective today, December 16th, 2024.

CMMC is officially live.

Now Certified 3rd Party Assessment Organizations (C3PAOs) can begin issuing Level 2 Certifications for clients who are ready to undergo third-party assessments. Organizations will also be able to complete L1 and L2 self-assessments under the CMMC assessment guidelines.

But the rule only defines how the CMMC Program will operate.

Companies want to know “When do I have to be certified?”

The Department of Defense (DoD) has stated that CMMC requirements will begin appearing in contracts through a rollout process when the 48 CFR is officially published, which is estimated to be Spring 2025. Even so, DoD Acquisition Officers may require CMMC assessments in their contracts at their discretion, which may mean now.

So, is there a reason to rush?

IMPLEMENTATION TIMELINE

Even though Acquisition Officers have the ability to require CMMC assessments from today on, it’s likely that only a limited number of contracts will include an assessment until the 48 CFR is effective.

But one should not wait.

CMMC implementation and compliance is not a quick process. Understanding the requirements, addressing technical controls, and crafting policies, plans and procedures to meet CMMC takes significant resources, even for a dedicated business.

The effort to meet CMMC is far from a weekend task. Small businesses are especially challenged due to their limited resources, and for that reason implementation can take anywhere from six months to a year to be assessment-ready, and that’s with a business being fully focused and engaged. When considering both the financial cost and the change of company cultural that’s necessary to meet compliance, if your company does not have a solid plan for CMMC, waiting until you see it as a requirement in a contract will be too late.

PRIME PRESSURE

Per the CMMC program language, protecting FCI and CUI is the responsibility of all primes and all the subcontractors attached to the contract. It is a total flow-down requirement for any company that will process, store, or transmit FCI or CUI in execution of the contract.

Large defense industrial base companies are already tasking their suppliers to be ready to meet CMMC requirements, through the answering of questionnaires, letters of attestation or even through visits to assure compliance requirements are met.

If they cannot ensure a company will be ready, they will not risk losing their award.

With little force currently in opposition to CMMC, the following reasons won’t justify waiting anymore:

Do these statements sound familiar?

  • We don’t have any current DoD contracts now, so we don’t need CMMC.
  • When we know what level of CMMC we’ll need, then we’ll look at implementing the requirements.
  • We’ll just get a waiver from the DoD that exempts us from needing certification.
  • It’s too complex, too costly, too much of a burden for small business. Something will stop it from going through.

The reality is becoming much  more clear, suppliers that are not ready for CMMC or cannot demonstrate progress to compliance are in jeopardy of being left out of the bidding process. If defense related work makes up a substantial portion of your revenue, and you have no plan to implement CMMC, be prepared to be excluded.

Businesses that have not decided on pursuing CMMC compliance and are doing defense work may find themselves in the awkward position of having that decisions made for them.

WHAT’S THE ANSWER?

Meeting and maintaining compliance with CMMC is a significant decision, both organizationally and financially. Large defense manufacturers have the resources and budget to become compliant on their timelines. But where does that leave the rest of the defense industrial base?

That’s where FNI comes in. We are ready to assist your business with understanding the CMMC landscape, implementing compliant solutions to satisfy requirements, and training your entire organization on the operational changes.

We offer both a turn-key, FedRAMP complaint Cloud Enclave (through our CMMC:OMNI CORE solution, built in Microsoft GCC-High and Azure.gov), as well as on-premises and hybrid solutions, depending on the needs and structure of your network.

Meet with FNI for a free initial consultation and let us show you how to bring structure to your process resulting in rapidly and cost-effectively achieving your CMMC requirements.

Posted in