CMMC implementation likely shifting to 2024, but contractors should still prepare now
The Department of Defense (DOD) had planned to seek an interim final rule designation for implementing the Cybersecurity Maturity Model Certification (CMMC) program, its new cybersecurity standard for defense contractors.
Now, the recent released unified agenda indicates that the DOD is seeking to implement the CMMC program, originally released as an interim rule, via a Notice of Proposed Rulemaking (NPRM) mechanism. The unified agenda sets a deadline of May 2023 for NPRM action. As a result, full implementation of the program will likely shift to sometime in 2024.
The current requirements as stated in DFARS clause 7012 requiring contractors to self-attest compliance with the requirements of NIST Special Publication 800-171 still stand. The commitment of the DOD to anchor the CMMC program on the provisions of NIST Special Publication 800-171 remains unchanged. In June 2022, the DOD’s acquisition office issued a memo reminding acquisition officials of the current NIST 800-171 standard, and offering “contractual remedies to ensure compliance” with the DFARS clause.
The Department of Defense is committed to improving the security of its supply chain by requiring its contractors to eventually meet the requirements specified in the CMMC program. The delay is a reflection of the complexity and diversity of the Defense Industrial Base (DIB). While many DIB contractors may see this as another reason to “kick the can” to implement controls or to enhance their cybersecurity program, we recommend that contractors take advantage of this additional time or the transition period to continue to assess and strengthen their cybersecurity posture.
Whether you’re well on your way to CMMC compliance or just getting started, use our “road map to compliance” to check your progress and plan your next steps. And as always, feel free to reach out to our team for more information.