It’s official. The Cybersecurity Maturity Model Certification (CMMC) proposed rule is with the Office of Information and Regulatory Affairs (OIRA) and is now under review. Additionally, the Department of Defense and Office of Management and Budget are now planning for the release of a proposed CMMC rule later in 2023.
Is your organization prepared? Government contractors who have been slowly implementing NIST SP 800-171 controls might be surprised to learn that they may need to play catch up.
Historical Timeline & Impact on Contractors
The CMMC process has been long and for good reasons. The DoD has consistently asserted its commitment to implementing the compliance standard correctly the first time – proactively assuring that the methodology is effective and flexible in the right areas. Specifically, a core focus has been ensuring that the CMMC process works for small contractors.
Now that the proposed rule is with OIRA, organizations putting off aligning with NIST should feel pressure. Justin Weeks, CCA and VP of Cybersecurity and Compliance at Teal, explains the situation that contractors will likely experience.
“Historically, it has taken 400 days from OIRA to the final ruling,” said Weeks.
“If that timeline holds, companies who start preparing today will not be ready until at least 147.5 days after the rule takes effect,” continued Weeks. “That’s assuming it takes 18 months and providers are available to service the company. Additionally, last I checked, there are less than 500 Certified CMMC Professionals (CCPs), meaning there can be no more than 500 current CCAs ready to perform assessments.”
“Plus, there are only 502 RPOs – for 100K defense contractors,“ said Weeks.
This will create a gap in supply for OSC demand while lengthening timelines from the final rule – affecting contracts and their renewals. You won’t see the current vendor supply dramatically explode to fill the needs of OSC – because the process of RPO to CCP to CCA is also lengthy.
“What’s more, CyberAB Guidelines do not allow CMMC Third Party Assessment Organizations (C3PAOs) to perform an assessment without conducting a readiness review,” said Weeks. “So, they cannot be scheduled until readiness is completed, and that requires a finished System Security Plan (SSP) and a Plan of Action and Milestones (POAM) with everything implemented.”
What does this all mean? It means implementation takes longer than the rulemaking process. When you combine that with the gap in supply, your organization could be months behind.
5. Improve Results for Email Vendors/Partners
If you use email services such as MailChimp or Constant Contact — or any other partners to send emails on your company’s behalf — DMARC should be configured to give these emails the same level of legitimacy as those you send yourself.
Avoid Delays to Your CMMC Readiness
Now is the time to prioritize your compliance efforts and avoid delays. If you’re struggling to navigate the complex requirements, we urge you to work with a knowledgeable managed service provider (MSP) experienced with CMMC and NIST. A knowledgeable MSP will cut preparation time and boost your compliance – readying your organization for the rollout of the final rule.
Teal is a sophisticated Registered Provider Organization (RPO) – helping our partners stay ahead of the curve. Our knowledgeable compliance experts have empowered countless defense contractors and subcontractors easily navigate the complexities of DFARS, NIST 800-171, and CMMC.
Check out our CMMC QuickStart option (for organizations up to 200 users) to get on the road to compliance quickly.