CMMC version 1.0, released on January 31, 2020, introduced multiple maturity levels that contractors working with the Department of Defense (DoD) could obtain, ranging from “Basic Cybersecurity Hygiene” (Level 1) to “Advanced” (Level 5), to meet DoD cybersecurity standards. In November 2021, “CMMC 2.0” was announced, streamlining the CMMC framework from 5 levels to just 3 levels. We break down CMMC compliance in this article to explain why it’s essential to meet these standards to work with the Federal Government.
The CMMC final rulemaking is now officially underway, following the DoD’s submission of the CMMC 2.0 rule to the Office of Management and Budget’s (OMB) Office of Information and Regulatory Affairs (OIR) on July 24, 2023. It is anticipated that OIRA’s review will be completed by early Q4 2023, with contractual CMMC implications to follow. The exact timing of when DoD contractors should expect to see CMMC in specific contracts is still uncertain. CMMC contractual requirements could begin in mid to late 2024 or early 2025, depending on whether CMMC becomes an interim final rule or not.
So, what does this mean?
Being proactive is key. While many contractors will wait until the final CMMC rule to begin their compliance transition, it takes time to achieve compliance with CMMC’s 110 cybersecurity requirements. Implementing new technical solutions, developing compliant policies, processes, and procedural documentation, as well as executing organizational change strategies, is no easy task. At Alluvionic, we have observed that most small to mid-sized companies require 9-18 months to progress from an average state to being assessment-ready.
So, what should defense industrial base contractors be doing now to get prepared?
DFARS Compliance: Keep up with your DFARS compliance, which remains the current requirement. Assess against NIST 800-171 rev2, develop and maintain your Plan of Actions and Milestones (POAMs), and keep versioning that system security plan (SSP)!
CMMC Documentation: Ensure you are building out policy, process and procedural documentation in alignment with CMMC Controls.
Technical Implementation: Need to implement new technical controls? Start NOW. Change is hard, and it can take time to find the right solution. Alluvionic is available to support a trade study to analyze technical solutions and help you determine what is right for you.
Cybersecurity is more than IT: Cybersecurity is about people and processes. Effective organizational change management is critical to success.
CMMC Planning with Alluvionic
Alluvionic’s process to CMMC compliance will assist your team by baselining your organization, building a plan with milestones, implementing new tools and processes for remediation of deficiencies, and finally achieving certification. Learn more here and contact our team today to start your CMMC process.