Companies bidding for defense contracts are estimated to have to comply with Cybersecurity Maturity Model Certification (CMMC) Requirements in early 2025.
In comparison to past regulations, current CMMC requirements represent a streamlined model designed to encourage compliance and accountability.
Affected contractors and subcontractors should begin their compliance planning now, and shore up their ability to defend against ongoing targeting by advanced and persistent threat actors.
The end of 2023 brought forth anticipated updates regarding the status of the CMMC Rule for protection of Controlled Unclassified Information (CUI). A proposed rule has been issued by the DoD to create the CMMC Program. This continues the rulemaking process, with a 60-day public comment period through February 26, 2024. The adjudication process then begins where the DoD responds to comments, adjusts the Proposed Rule as needed, and receives approval from the White House Office of Management and Budget (OMB) on the updated version. This represents a long-awaited update to the CMMC program timeline along with new considerations for defense contractors.
Numerous complexities with the proposed CMMC rule can limit an organization’s effectiveness when establishing an approach to reach certification. PwC, a Registered Practioner Organization (RPO), is uniquely positioned to help organizations seeking certification navigate the complexities and prepare for CMMC assessments. PwC’s team of 30+ Registered Practioners has experience supporting readiness assessments for a range of clients across the Fortune 500 both small and large spanning multiple industries.
Adjudication of CMMC runs in parallel to the DFARS 252.204-7012 proposed rule changes expected in Spring 2024. As of publication of the proposed rule, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 revision 2 and portions of NIST SP 800-172 have been referenced as the set of requirements to meet depending on CMMC Level.
Key Updates:
In 2020, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) process, designed to bolster security, protect sensitive unclassified information, and enhance visibility into the defense supply chain.
The CMMC mandates new standards, practices, and processes that all companies within the DoD supply chain—not just the defense industrial base (DIB)—must implement to bid on defense contracts. What’s at stake is big and growing: The DoD’s budget request related to two key acquisition appropriations totaled $315 billion for FY2024, an overall increase from last year’s request.
Defense contractors are the target of frequent, persistent, and complex cyber attacks. A recent joint agency alert reported that from at least January 2020 through February 2022, there has been regular targeting of large and small US-cleared defense contractors (CDCs) as well as subcontractors that provide the following to the DoD and intelligence community: command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.
Implementing CMMC is a significant endeavor, one that could impact as many as 300,000 primary contractors and subcontractors, large and small. In addition to DIB companies, CMMC affects a mix of traditional and nontraditional industries, such as higher education (research and development), health services, retail, critical infrastructure providers (including telecom), and technology (including cloud service providers).
The framework is currently a proposed rule anticipated to be finalized throughout 2024. No start date for compliance has been set, but it is currently estimated that CMMC will start appearing in contracts as early as 2025.
Source: Office of the Under Secretary of Defense, Acquisition & Sustainment
While the proposed rule has been published as of December 2023, contractors will need to prepare for the phased rollout of CMMC. Depending on the type of contract and award timing, CMMC L2 Certification Assessments may be required as soon as mid-2025. In the meantime, annual self-assessments based on the NIST SP 800-171 will be in effect until the final rule is published.
The months between now and 2025 may seem like a comfortable timeline to build compliance, but the complexities of CMMC compliance will require quick action as well as a disciplined response and deep knowledge of DoD acquisition rules.
To start the process towards CMMC compliance, contractors should first evaluate the environment for compliance (documentation, control effectiveness, resources) and continue to expand their documentation and readiness.