It’s time to stop kicking the can – contact us to find out how to get started – it’s not that bad – really!
Keeping its promise, the Department of Defense (DoD) finally published the CMMC Proposed Rules in the Federal Register on Dec. 26, 2023 (Happy Holidays!!). There are no big suprises in what was published:
The purpose of the Cybersecurity Maturity Model Certification (CMMC) remains the same as it was when it originated in 2019 – it is a verification tool. Having the vast bulk of the Defense Industrial Base (DIB) required to certify or have certified it’s cybersecurity control environment will greatly reduce exposures of DoD confidential information. At the same time, organizations need to recognize this step is also protecting your intellectual property.
Secondly, no new guidelines or assessment guides were released; they remain the same ones that were published in Nov. 2021. Level 3 is still not published but this is the level for a small number of contractors who need to be at an even higher level than what is contained in NIST 800-171. It confirmed that R 2 of 800-171 is what will be used as the new R 3 is not yet published.
Thirdly, it is no secret that every organization in the DIB was required to have been in compliance with the cybersecurity rules for non-federal systems since 2017. Thus, the DoD took the position that the CMMC verification is of something that is already in place! So, don’t be upset when you see low cost projections for achieving CMMC L2 certification – they are technically correct.
At the same time, they do accept that likely most of the DIB is not compliant and thus, small and medium contractors will need time and likely assistance to achieve L2 certification. There is a 4 year transition period described in the rules. The problem with that is that the Primes and the DoD agencies themselves may well enforce the DFARS procurement provision (254.202-7012) – the one requiring NIST 800-171 compliance since Dec. 2017 NOW and not wait for CMMC to be specified in a solicitation. In fact, we have seen these requirements in many contracts and solicitations already.
What to do: it is time to stop “kicking the can” down the road hoping that it will all just go away. Now that it is published and will be a regulation – more than a rule! – it is clearly HERE. So you need to get started:
Figure out what data you actually have and what you need – they may not be the same; develop a business data flow
Examine what you have in place now and identify deficiencies – remember, you need to show evidence that the controls are in place for the entire scope of the company that is using Controlled Unclassified Information (CUI) – every system, every service provider and all your involved people – this is what makes it a lot; however, there are ways to make it smaller
Figure out your remediation plan and how long it will take to remediate – what it will cost too – and begin as soon as possible to take steps so that you can demonstrate at least a good faith effort
Establish a monitoring system so that you know that all the controls are operating as intended and most importantly, ensure you have EVIDENCE of the controls at work
We have lots of experience and are happy to assist: contact us today at Comply@3comply.com or set up a call through out site. It is time to stop kicking the can!