Time To Act on Your CMMC Program

The Cybersecurity Maturity Model Certification (CMMC) program recently took an important step forward. At the end of June 2024, the DoD (Department of Defense) finalized the public comment period for the draft version of the Final Rule and sent it to the Office of Information and Regulatory Affairs (OIRA), a regulatory agency of the US federal government. OIRA’s review will be the last step before the Final Rule is expected to be published at the end of September / October 2024 timeframe.

The Final Rule will also indicate the effective date of the CMMC Program, perhaps during Q1 of 2025. From there, the CMMC requirement will gradually be extended to all DIB (Defense Industrial Base) contracts, making the certification mandatory for all primes and subcontractors.

The CMMC Program certifies that a contractor is compliant with the set of requirements for protecting the confidentiality of controlled unclassified information (CUI).

CMMC is divided into three levels, depending on the type of information a company handles and the type of work it does: Level 1 allows for an annual self-assessment, and Level 3 organizations will be assessed by government officials, most DIB contractors will fall into Level 2, for which a third-party assessment is required.

Although the rollout period for CMMC contract requirements, is expected to last over 2 years, it’s still not known how the progression will play out. In fact, starting from the effective date, any DIB contract may include CMMC as a requirement. It is therefore critical to act now if your organization wants to continue doing business with the DoD in 2025.

The first step is to complete a gap assessment. “A gap assessment will give you a clear idea of what security gaps need to be fixed and the remediation activities that need to be implemented,” says Rhia Dancel, NSF Information Security, Technical Manager.

Based on the findings of the gap assessment, the second crucial step in your CMMC journey is to secure an assessment date. Although CMMC assessments will be conducted only after the effective date, it is important to secure one as early as possible, to avoid delays and bottlenecks: “There are over 300,000 suppliers in the DIB, but currently less than 60 CMMC Third-Party Assessment Organizations (C3PAO). If there is an influx of organizations that are ready for a CMMC assessment, they may have to wait in line,” says Dancel.

NSF is an authorized C3PAO with extensive experience in information security and dedicated CMMC professionals.

If you're doing business with the DoD and you don't want to lose your eligibility to bid on contracts or to participate as a subcontractor, you can count on us for:

• Gap assessment
• CMMC assessment
• Expert guidance*

Stay tuned for more details about NSF’s training on Information Security awareness and related CMMC topics.

To request information about the CMMC program and our auditing services, contact Haley Glass, Information Security territory account executive at hglass@nsf.org.

*Please note that any suggestions made in this article or guidance provided by our experts do not constitute consulting and following any of these suggestions is not linked in any way to the granting of certification.