What is Next for CMMC?
As you recover from you turkey coma, just remember your regulation compliance never takes a holiday. An interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to create new assessment and certification requirements for DoD contractors was issued back in late September. This interim rule goes into effect Monday. Along with introducing the DoD Assessment Methodology, the rule also introduces the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. CMMC will not be fully implemented until 2025, but it should still be at the forefront of your compliance strategy if you intend to pursue defense work anytime soon.
On the Cybersecurity Maturity Model Certification side of the rule, yes, the full implementation won’t go into effect until October 2025. However, through new DFARS clause regarding contractor compliance with the CMMC level requirement, contractors must maintain a certain Cybersecurity Maturity Model Certification level (i.e. between 1 and 5). In this case, CMMC is intended to provide comfort that DOD contractors’ systems have processes and practices that are sufficient to protect info like Controlled Unclassified Information (CUI). Once Cybersecurity Maturity Model Certification is in effect, a new contract cannot be awarded, nor can a contract option be exercised, if the contractor does not have a current certification at the required CMMC level.
Once in effect, Cybersecurity Maturity Model Certification will apply to almost all defense contracts. Even contractors that do not process, store, or transmit CUI will have to obtain a CMMC Level 1 certification. And the certification process costs money. The interim rule includes some estimated costs for supporting Cybersecurity Maturity Model Certification assessments, ranging from around $3,000 for the lowest level to over $1 million for the highest certification. These sums do not include recurring costs to maintain/recertify the assessments.
As of right now, CMMC is a requirement that applies only to contracts with DoD entities. However, other agencies may consider adopting their own versions of these cybersecurity assessment and review requirements.
There are many steps your business can be taking today to comply with CMMC. You don’t need to go at it alone. Give 2W Tech a call today and let us help your business prepare for the Cybersecurity Maturity Model Certification and give you audit support. 2W Tech is a technology service provider that has a proven track record with our Cybersecurity Compliance Program.