Anyone who has been closely following the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program knows the effort has experienced a fair number of complications and delays. For those keeping track of the timeline, DoD first announced the CMMC program in June 2019 (discussed here), released version 1.0 of the CMMC model document in February 2020 (discussed here), and published an interim rule in September 2020 (discussed here). In response to the 850+ comments it received on the interim rule, DoD reviewed and restructured the program into “CMMC 2.0” in November 2021 (discussed here). DoD consistently has said the CMMC 2.0 rulemaking process could take anywhere from 9-24 months, which left companies to wonder when that time period would begin and what the timeline might look like – and also whether this could mean a significantly reduced timeline from that originally announced. DoD has provided some clarity during recent speaking engagements and conferences.

While the interim rule contemplated a phased approach with the CMMC requirement ultimately to be included in all DoD solicitations and contracts by October 1, 2025, DoD recently announced at a “CMMC Day” conference it expects to complete its documentation to submit to the Office of Management and Budget (OMB) for the rulemaking process by July 2022, and expects to issue interim final rules by March 2023.[1]

If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations as early as May 2023 (60 days after the rules are published). DoD also announced it plans to roll out the CMMC requirements in solicitations under a “phased approach.” In particular, for phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment (rather than have a third-party certification) and provide a positive affirmation of compliance. Then, in phase two (with timing still to be determined), solicitations will require either self-assessments or third party certifications (depending on the type of CUI and required certification level).

Summary of Key Anticipated Dates

July 2022DoD completes its documentation to submit two rules to OMB for the rulemaking process.
March 2023Publication of the interim final rules.
March-May 202360-day comment period.
May 2023 and beyond[2]CMMC requirements in solicitations: • Phase 1 – self-assessments only • Phase 2 – self assessments and 3rd party certifications (if required)
???Publication of final rules.

DoD also has confirmed that the third-party CMMC certification (associated with some Level 2 and all Level 3 programs) will be good for three years, but contractors will be required to provide an annual affirmation confirming compliance. DoD plans to store the CMMC certificates (and the associated third-party assessment data) in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. The CMMC eMASS automatically will post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS), but the detailed results of a CMMC assessment will not be made public.

Apart from the third-party certifications required for Level 3 and some Level 2 programs, the self-assessments required for Level 1 and some Level 2 programs must be performed on an annual basis (accompanied by an associated affirmation by a senior company official). At least for Level 1, DoD has clarified that after performing the self-assessment, the company will be required to submit the results and annual affirmation via SPRS. This means many companies that have not yet had to use SPRS will need to create an account and ensure access to the platform.

Conclusion

It seems the time finally has come for DoD contractors to acknowledge that CMMC is imminent (and sooner than many had anticipated). Contractors should prepare their information systems for a CMMC assessment (if they have not already), and seriously consider performing a comprehensive self-assessment sooner rather than later. Companies that already are required to have a NIST 800-171 assessment score posted in SPRS (based on the requirements in DFARS 252.204-7019 and -7020) should be actively working to remediate any gaps and consider updating their score to ensure it reflects the current posture of the system. In this regard, DoD has announced it will be checking the accuracy of reported scores in SPRS by performing “medium assessments” as described in the DFARS.

Immediate focus on a comprehensive CMMC assessment will help further the goal to enhance the security of the Defense Industrial Base, and may be beneficial from a cost standpoint as well. NIST recently announced plans to update NIST SP 800-171 (the foundational document against which most CMMC assessments will be conducted).[3] In parallel, DoD announced that “companies who receive a CMMC certification prior to the update to NIST 800-171 will only need to meet the requirements in the current standard” (Revision 2) rather than having to work against the updated standards in the forthcoming Revision 3.[4] An earlier assessment may allow companies more time to understand and digest changes to the standard and any additional security controls before using it as a baseline for future assessments.

FOOTNOTES

[1] Interim final rules are to be released under Title 32 and Title 48 of the CFR. This includes an update to the existing CMMC interim rule that was released in September 2020 (DFARS Case No. 2019-D041, “Assessing Contractor Implementation of Cybersecurity Requirements”). According to the Federal Register notice, “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward” (which was later withdrawn, but is available at https://www.govinfo.gov/content/pkg/FR-2021-11-17/pdf/2021-24880.pdf), the title 32 CFR rulemaking for the CMMC will occur first, and will be “followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR.” 86 Fed. Reg. 64100.

[2] DoD has confirmed the CMMC requirement will not be included in solicitations until after the 60-day comment period (following publication of the interim rules).

[3] See “The NIST SP 800-171 Series: What’s New and Looking Ahead,” (May 9, 2022), available at https://cmmcday.org/wp-content/uploads/2022/05/M1b-PillitteriV.pdf.

[4] See Sara Friedman, “Pentagon Moves Up Timeline For Release of Interim Final Rules to Implement Cyber Certification Program,” INSIDE CYBERSECURITY (May 11, 2022) available at https://insidedefense.com/daily-news/pentagon-moves-timeline-release-interim-final-rules-implement-cmmc-program# (last visited June 7, 2022).