The Pentagon submitted its Cybersecurity Maturity Model Certification (CMMC) proposed rule to the Office of Information and Regulatory Affairs (OIRA) for review in July 2023. In November/December timeframe, officials plan to release an updated rule for public comments. This public comment period will mark another milestone in the process, reducing the time contractors have to prepare before the rule finalizes.
Table of Contents
CMMC Public Comment Period
The DIB is eagerly awaiting the forthcoming 60-day comment period, as it is expected to be a critical time for response. According to the CMMC Director at the Pentagon, Stacy Bostjanick, it is important that the industry prepares to respond effectively during this period to tackle the challenges before the rule takes effect.
“We do want the good comments. We do want to be brought to mind what we forgot or didn’t think about,” Bostjanick said. “We do want to hear from each one of the companies. If somebody has a better way to build a mousetrap, let us know. Because we’re open to all of that to try and make this right, and we do recognize the importance of this effort.”
Stacy Bostjanick
It is unclear what specific details are in the proposed rule. However, Cyber AB’s CEO, Matthew Travis hopes CMMC 2.0 will be available by fall 2024, before the next election cycle.
How to Avoid Delays to Your CMMC Readiness
Three months ago, our certified CMMC experts shared a power-packed Master Class designed to provide you with quick insights after the DoD’s OIRA update to ensure you’re ready for the final rule.
Justin Weeks, Teal CCA and VP of Cybersecurity & Compliance, explained:
- The OIRA announcement
- How it impacts the CMMC timeline
- Where you should be in your preparation process
- Whether you can push out your deadline due to class variance
“Historically, it has taken 400 days from OIRA to the final ruling,” said Weeks. “If that timeline holds, companies who start preparing today will not be ready until at least [239.5] days after the rule takes effect.”
Justin Weeks
Watch the Master Class now to see if you’re on track to be ready when the CMMC rule is finalized.
WATCH VIDEO
CMMC Compliance Recommendations
To prepare for the evolving CMMC 2.0 rollout, contractors should take the following steps:
- Determine the CMMC level that your organization needs to obtain.
- Determine the scope of the data that the assessment will cover.
- Establish boundaries for how data is managed to put clearly defined limits around the assessment.
- Review all processes and the level of documentation that exists for each.
- Fill in any documentation gaps that you identify.
- Review relevant practices and determine who performs them. Determine if the identified individuals can explain how they perform the tasks.
- Determine if your organization can conduct these pre-assessment activities or if you will require assistance from an RPO.
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
The CMMC Levels
CMMC is designed to enhance cybersecurity within the DIB. The DoD strives to ensure that implementation is affordable – even for small businesses – to promote secure engagements even at the lower CMMC levels.
As the framework is cumulative, earlier levels’ requirements must be met for the desired certification level. Understanding the necessary maturity levels and capabilities needed for each is crucial for successful DoD collaboration. Here’s an overview.
Level 1: Foundational Cyber Hygiene
This level is all about ensuring that companies take basic steps to keep sensitive information (Federal Contract Information, or FCI) safe from cyber threats. While specific rules must be followed, there isn’t an official evaluation of how well these rules are being followed. It’s understood that some companies may not have all the proper paperwork or may not always follow the rules perfectly. Still, it’s essential to make an effort to protect sensitive data.
Level 2: Advanced Cyber Hygiene
Moving up to CMMC Level 2 is significant. It means that an organization has gone beyond the basics (Level 1) and has taken extra steps to protect Controlled Unclassified Information (CUI). At this level, organizations must be officially certified. To achieve this certification level, an organization must carefully document its cyber hygiene processes and follow them precisely as CMMC Level 2 dictates.
Level 3: Expert Cyber Hygiene
Level 3 certification is an advancement from Levels 1 and 2, with the utmost priority placed on safeguarding CUI. Organizations need to prove that they have a good plan in place to manage their processes properly to get this certification. This plan covers training, resources, project planning, and other essential details.