Guest blog by: Fernando Machado of Cybersec Investments
This is for all of those contractors who are still waiting to get compliant until they have to. To every defense contractor that is still not NIST 800-171 compliant and waiting to be forced to be on track for CMMC. Our cyber expert partner, Fernando Machado, CEO of Cybersec Investments provided us with some updates that you may want to pay close attention to. Don’t lose a current opportunity or miss out on future opportunities because you didn’t take this seriously.
CMMC Timeline
On May 23, 2023, the Department of Defense (DoD) Senior Information Security Officer and Deputy Chief Information Officer David McKeown stated, “We’re targeting late fall of next year (2024) so that can start (CMMC) to be put into contracts.”
On December 26, 2023, the DoD published the Cybersecurity Maturity Model Certification (CMMC) Program proposed rule in the Federal Register. The DoD provided a 60-day public comment period, which ended on February 26.
On February 8, 2024, Pentagon Spokesperson Tim Gorman stated, “We have already begun the adjudication process and will move to the next step rapidly after the close of the comment window.”
What Contractors Should Know
Here are the top three things that contractors in the Defense Industrial Base (DIB) need to know:
1. The DoD responded to comments from CMMC 1.0 and included them in the CMMC Program proposed rule. Comment 8; subsection b states that the cost to become and remain compliant is too high for small businesses.
The DoD responded by stating, “The estimated costs attributed to this rule do not include the costs associated with compliance with existing cybersecurity requirements under FAR clause 52.204-21 or associated with implementing NIST SP 800–171 requirements in accordance with DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. To the extent that defense contractors or subcontractors have already been awarded DoD contracts or subcontracts that include these clauses, and process, store, or transmit FCI or CUI in support of the performance of those contracts, costs for implementing those cybersecurity requirements should have already been incurred and are not attributed to this rule. Those costs are distinct from costs associated with undergoing a CMMC assessment to verify implementation of those security requirements.”
In other words, in the DoD’s view, contractors with the above-mentioned contract clauses should have already incurred those costs since costs associated with DFARS 252.204-7012 are allowable. Additionally, the only cost would be the cost of undergoing a CMMC assessment to verify your DFARS 252.204-7012 compliance, which includes the implementation of NIST SP 800-171.
2. Comment 21 states that there is concern about the lack of waivers or Plan of Action & Milestones (POA&Ms).
The DoD responded by stating, “Under certain circumstances, the CMMC Program does permit contract award to organizations that have an approved and time limited POA&M. See § 170.21 for additional information on POA&Ms. There is no process for organizations to request waiver of CMMC solicitation requirements. DoD internal policies, procedures, and approval requirements will govern the process for DoD to waive inclusion of the CMMC requirement in the solicitation.”
In other words, contractors do not have the ability to request a waiver. Waivers will be provided by the DoD in very limited circumstances.
3. The DoD intends to use a phased rollout approach once the CMMC program is finalized. Implementation of the CMMC program requirements will occur in four (4) phases.
Phase 1 states, “Begins on the effective date of the CMMC revision to DFARS 252.204-7021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.”
Although the DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment, the DoD, at its discretion, may include CMMC Level 2 certification in place of a CMMC Level 2 Self-Assessment. Additionally, contractors need to understand that this phased rollout applies to contractors with direct contracts with the DoD (e.g., prime contractors). Nothing is stopping the prime contractors from requiring their subcontractors to get certified immediately since that’s a business-to-business decision.
If you’re a contractor in the DIB, we highly recommend getting ready now. The average time to achieve NIST SP 800-171 compliance is approximately 12-18 months. For more information, give us a call at 1-800-960-8802 or email us at info@cybersecinvestments.com.
Fernando Machado, CISSP, CISM, CISA, CEH
Cybersec Investments – Managing Principal and Chief Information Security Officer
Fernando is the Managing Principal & Chief Information Security Officer for Cybersec Investments, an Authorized CMMC 3rd Party Assessment Organization. Fernando is a Certified CMMC Assessor (CCA) and Certified CMMC Professional (CCP). Fernando was a member of the CMMC Accreditation Body’s Standards Management Industry Working Group, which helped develop guidance on CMMC’s assessment criteria & scoping with over 17,000 volunteer hours. His contributions led to being formally recognized by the President of the United States with the President’s Volunteer Service Award.
Connect with Fernando on LinkedIn