Receive CohnReznick insights and event invitations on topics relevant to your business and role.
01/20/2023
CMMC implementation likely shifting to 2024, but contractors should still prepare now
The Department of Defense (DOD) had planned to seek an interim final rule designation for implementing the Cybersecurity Maturity Model Certification (CMMC) program, its new cybersecurity standard for defense contractors.
Now, the recent released unified agenda indicates that the DOD is seeking to implement the CMMC program, originally released as an interim rule, via a Notice of Proposed Rulemaking (NPRM) mechanism. The unified agenda sets a deadline of May 2023 for NPRM action. As a result, full implementation of the program will likely shift to sometime in 2024.
The current requirements as stated in DFARS clause 7012 requiring contractors to self-attest compliance with the requirements of NIST Special Publication 800-171 still stand. The commitment of the DOD to anchor the CMMC program on the provisions of NIST Special Publication 800-171 remains unchanged. In June 2022, the DOD’s acquisition office issued a memo reminding acquisition officials of the current NIST 800-171 standard, and offering “contractual remedies to ensure compliance” with the DFARS clause.
What does CohnReznick think?
The Department of Defense is committed to improving the security of its supply chain by requiring its contractors to eventually meet the requirements specified in the CMMC program. The delay is a reflection of the complexity and diversity of the Defense Industrial Base (DIB). While many DIB contractors may see this as another reason to “kick the can” to implement controls or to enhance their cybersecurity program, we recommend that contractors take advantage of this additional time or the transition period to continue to assess and strengthen their cybersecurity posture.
What’s next?
Whether you’re well on your way to CMMC compliance or just getting started, use our “road map to compliance” to check your progress and plan your next steps. And as always, feel free to reach out to our team for more information.
Contact
Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Daryouche Behboudi, Advisory Managing Director
703.744.8507
Subject matter expertise
Bhavesh Vadhani
CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
Daryouche Behboudi
Advisory Managing Director
Close
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
Access Our Government Contracting Topic Page for Key Insights & Powerful Tools
Related services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.