CMMC On Fast Track to Becoming Law

What is the latest?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 Proposed Rule, 32 CFR 170, was announced on December 26, 2023 and has been on a lightning course toward approval when it comes to Department of Defense (DoD) standards. On, Thursday, June 27, the Proposed Rule was put in the hands of the Office of Information and Regulatory Affairs (OIRA) for final approval. This stage is considered the “Final Rule” stage, which is one step before the “Congressional Rule” stage. OIRA has up to 90 days (which can be extended to 120 days) to review and approve or deny the Proposed Rule, but OIRA could also approve the rule in a matter of days as it has no minimum time for approval. Upon approval, OIRA will set an effective date, which can be a minimum of 30 days after approval. However, historically 60 days or more is more typical.

What will happen next?

After OIRA’s approval and setting of an effective date for the rule, it will be sent to Congress for review. Congress and Government Accountability Office (GAO) will review the rule and have final authority to nullify it. It is expected that Congress will provide approval prior to the end of its current legislative term in January 2025. Upon approval, CMMC compliance will immediately be included in some DoD contracts as mandatory (a condition of contract award). CMMC compliance will be mandatory in all DoD contracts by 2028.

What should I do?

The current DFARS (Defense Federal Acquisition Regulation Supplement) clauses and their NIST SP 800-171 requirements have been in place since 2018 and are enforceable now. Between this and CMMC 2.0’s full implementation on the horizon, your company should already be well down the path toward compliance. The DoD has outlined in the Proposed Rule the phased introduction of the CMMC 2.0 clauses, so do not expect all contracts to have CMMC compliance verbiage included starting in early 2025, but you would be wise to be prepared for this eventuality.

The ability to attest to compliance with CMMC 2.0 will affect your ability to bid on contracts and could affect current contracts. If you process, store, or transmit FCI and/or CUI, your focus should be on the DFARS clauses 252.204-7019, 252.204-7020, and 252.204-7021, as these clauses are within current contracts and enforceable now, independently of the finalization of the CMMC Rule. Additionally, focus should be on working toward compliance within NIST SP 800-171 Revision 2 (not Revision 3, as of this writing), as this is the control set used by both DFARS and CMMC 2.0. Pay particular attention to the scoping activities to correctly scope out your environment to which these controls will need to be applied.

As a Cyber AB Registered Provider Organization (RPO), GuidePoint Security can provide expert guidance with your CMMC compliance efforts. GuidePoint offers CMMC gap assessment and advisory services, delivered by Registered Practitioner(s) (RP) and Registered Practitioner Advanced (RPA) consultants with operations backgrounds who understand how to apply the CMMC controls to your environment, as well as advise on figuring out the in-scope environment and any changes/additions need to close compliance gaps. A gap assessment can be viewed as a “practice run” for formal CMMC certification by a Certified 3^rd-Party Assessor Organization (C3PAO) once the CMMC 2.0 rule is official.