Navigating the Latest Developments in CMMC Compliance: What Companies Need to Know

Posted November 13, 2023 by Philip Duplisey

In a significant move, the Pentagon is on the verge of releasing a rule that formalizes the implementation of the long-anticipated Cybersecurity Maturity Model Certification (CMMC) regime. For companies operating within the Defense Department’s industrial base, this marks a crucial development in assessing cybersecurity compliance. The DoD will use the privity of contract rules to lean on its big prime contractors to ensure the subcontractors in their supply chains are compliant with CMMC.


A Streamlined Approach:


The CMMC program, in the making for several years, has recently undergone significant revisions aimed at reducing the burden on smaller businesses. With the imminent release of the rule, companies can expect a comprehensive document running into the hundreds of pages, accompanied by supporting materials.


Bob Metzger, Head of the Washington office for law firm Rogers Joseph O’Donnell, suggests that the rule will be “long and complex,” with an initial section explaining the rationale and benefits of the program. The latter part will delve into changes in federal regulations, detailing how the CMMC program will practically function under Title 32 “National Defense” and the Defense Acquisition Regulations System in Title 48 of the U.S. Code.


Addressing Small Business Concerns:


One of the key considerations in the recent CMMC 2.0 program changes has been to streamline the certification process, particularly for smaller businesses. The rule may shed light on whether there will be differentiated expectations or demands for smaller versus larger businesses.


Matt Travis, CEO of the Cyber Accreditation Body, emphasizes that addressing small business concerns is crucial for the DoD. The challenge is to hold these businesses accountable without discouraging their participation in the defense industrial base.


Implementation Insights:


As the rule and supporting documents are released, companies can gain valuable insights into the DoD’s plan for implementing the CMMC requirements. The documents may provide clues about the phased rollout of certification requirements, the framework currently in place allows companies to start compliance initiatives right away.


Experts suggest that the initial implementation will start small, gradually increasing to avoid disruptions in the supply chain. This approach aims to ensure companies are ready for the requirements without overwhelming them.


Looking Beyond DoD:


While the DoD is taking a lead role in CMMC compliance, it’s worth noting that other government agencies are not as quick to adopt the program. The Department of Homeland Security, for instance, has released its plan for evaluating contractor “cybersecurity readiness” through a different approach.


Companies affected by CMMC compliance should keep a watchful eye on how these developments unfold, as they could impact broader cybersecurity practices across various sectors.


In conclusion, the impending release of the CMMC rule signifies a critical juncture for companies in the Defense Department’s industrial base. Staying informed, actively participating in the public comment period, and preparing for the phased implementation are key steps for businesses looking to navigate the evolving landscape of CMMC compliance.

Contact us today for an immediate response from a NIST 800-171 Expert