The CMMC 2.0 framework is expected to be released in 2023, and it will likely take some time for the framework to be fully implemented and for contracts to start requiring compliance. However, some sneaky agencies are starting to slip the requirements into their bids.
To help get a head start on compliance with the CMMC rule, companies were advised to start their security and compliance journey in Q1 of 2023, regardless of the rule's published status. Although there’s some speculation that CMMC 2.0 rollout will be delayed, it’s best for companies to start preparing for compliance soon. And since it can take an average of 12 to 18 months to implement the steps for CMMC 2.0 compliance, it’s high time you get into action.
What is the CMMC deadline?
The CMMC compliance deadline is set to take effect in July 2023. This certification program is designed to help protect the Department of Defense (DoD) supply chain from cyber threats by requiring all contractors and subcontractors doing business with the DoD to be certified under CMMC.
Start with NIST SP 800-171 implementation
The first thing to consider is how much time you will need to implement NIST SP 800-171.
Organizations are required to comply with the NIST SP 800-171 requirements under DFARS 7012 and other existing DFARS regulations. In the summer of 2022, NIST announced their plans to revise NIST SP 800-171 over the next 18 months, with an initial draft of the revised SP 800-171, Revision 3 expected to be released in late spring 2023.
This holds importance for those who have not yet adopted NIST 800-171, as they may have to adhere to extra measures linked to the revised edition. In contrast, early embracers of CMMC, who are ready for evaluations, will probably remain unaffected by the NIST updates in the context of a provisional final rule situation.
Understand the two rulemaking scenarios for CMMC 2.0
The DoD might publish the CMMC program rule in the next few months. There are two possible scenarios for the CMMC program rule:
Scenario One: Suggested Regulation "NPRM"
In this situation, the CMMC program rule would be enforced after the DoD evaluates and addresses public feedback by publishing a final rule in the Federal Register. Suggested regulations adhere to the standard, customary, and gradual approach for "notice and comment" in rulemaking.
Scenario Two: Provisional Final Regulation "IFR"
The DoD has persistently followed a provisional final rule, where the CMMC program rule would be implemented prior to the DoD assessing and responding to public comments through a final rule, signifying its immediate effectiveness.
Have a realistic idea about the implementation timeline
Typically, it takes 50-100 person companies an average of 12-18 months to implement NIST SP 800-171 (CMMC Level 2). However, most companies are over a year behind, given the potential interim final rule scenario.
In order to be prepared for the release of the CMMC regulation in the upcoming months, contractors should have initiated their implementation process in the fourth quarter of 2021, which coincides with the original announcement of CMMC 2.0. Furthermore, for companies to be ready in the event of a provisional final rule scenario, they ought to have commenced their implementation during the first quarter of 2022.
Don't be dismayed, it's not too late to start prioritizing your CMMC 2.0 compliance.
Steps for meeting CMMC compliance deadline
Once you have figured out how much time it will take you to achieve compliance, you can begin by following the below steps.
1. Determine the CMMC level applicable to your organization
The evolution of CMMC from 1.0 to 2.0 modified the number of levels from 5 to 3. The initial step towards embarking on your CMMC compliance journey involves determining the appropriate CMMC level that your organization must comply with. CMMC 2.0 consists of three levels - Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
Your organization's CMMC level depends on the type of data it manages, such as Federal Contract Information (FCI), Controlled Unclassified Information (CUI) / Covered Defense Information (CDI) / Controlled Technical Information (CTI), and ITAR or export-controlled data, among others.
2. Determine the assets for CMMC 2.0
Adherence to the DoD's current compliance regulations for the supply chain requires the process of identifying which assets and data in your existing IT environment can pose a challenge due to the possible areas through which contract information (FCI) and sensitive data (CUI) may flow.
Several factors must be taken into account when identifying assets for CMMC, including:
- The movement of data in and out of your existing environment.
- The identification of the locations where FCI and CUI are stored.
- The retention of control over the systems that hold contract information and sensitive data.
3. Conduct a gap analysis
Perform a detailed analysis of your current cybersecurity posture against the CMMC 2.0 requirements to identify gaps and areas that need improvement.
Engage a Registered Provider Organization (RPO) authorized by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) to conduct a Gap Assessment. Doing so guarantees that all relevant security requirements are adequately addressed at each applicable level.
4. Develop a System Security Plan (SSP)
Create a formal document that outlines your cybersecurity standard, policies and procedures. This should also include a detailed assessment of the risks associated with CUI and a plan to mitigate those risks.
5. Implement cybersecurity controls
Implement the cybersecurity controls outlined in your SSP to meet the CMMC 2.0 requirements. This may include measures such as multi-factor authentication, encryption, network segmentation, and employee training.
6. Perform CMMC assessment
Conduct an internal audit to ensure that your organization is compliant with the appropriate CMMC level. This step involves reviewing policies, procedures, and controls, and performing tests to ensure that they are effective.
To determine if your team is prepared for a full assessment, the CMMC Third-Party Assessment Organization (C3PAO) will likely provide a readiness checklist of items to review. This checklist will include the following items:
- Completion of a pre-assessment or a formal CMMC Level 2 assessment
- Definition of the assessment scope
- Selection of the assessment initiation date
- Provision of contractual requirements
- Sharing of contact information and defining specific roles
7. Obtain certification and maintain compliance
After the CMMC Third-Party Assessment Organization (C3PAO) submits the assessment, the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) reviews it and makes the final certification decision for your organization.
Once the submitted evaluation is approved, the CMMC-AB informs both your organization and the C3PAO. If all goes according to plan, your organization will receive a CMMC certification valid for three years.
CMMC 2.0 compliance is an ongoing process, and you must continue to monitor, assess, and update your cybersecurity posture to remain compliant with your designated CMMC level.
Final thoughts on the CMMC compliance deadline
It is important to note that achieving CMMC 2.0 compliance can be a complex and resource-intensive process. Whether it is mapping the compliance requirements against other standards and frameworks or helping with the documentation process, the 6clicks platform has everything you would need to simplify the complex process of CMMC 2.0 certification.
The 6clicks AI engine, Hailey, has already done much of the work for you by reviewing hundreds of standards and frameworks and has identified requirement overlaps. This helps you identify the requirements and more importantly the gaps you'll need to prioritize. In addition, the content library, a single-view dashboard, and a reporting & analytics suite make it easy to achieve and maintain compliance.
Take a tour of the 6clicks platform to know how powerful automation can help you achieve CMMC 2.0 certification faster, meet the CMMC 2.0 deadline, and improve the overall Information Security Management System (ISMS).