The long and winding road of CMMC is straightening out and is headed right at government contractors. The days of wishing it away or waiting until you have no other choice are coming to a close, as the final rule for the Cyber Security Maturity Model Certification (CMMC) program is published in the Federal Register as of October 15, 2024.
We consulted with our partner and CMMC expert, Fernando Machado, CEO of Cybersec Investments, to get insight into what this means for Department of Defense contractors going forward.
Q: What are common misconceptions small subcontractors have with regard to CMMC and requirements written into solicitations and contracts once DFARS implements the CMMC program?
A: There are two timelines here. Beginning on the effective date of the DFARS clause, the DoD intends to include CMMC Level 1 and CMMC Level 2 self-assessments. However, the DoD at its discretion, may require a CMMC Level 2 Certification Assessment in place of the CMMC Level 2 Self-Asessment.
Additionally, the phased rollout applies to prime contractors, but not subcontractors. Prime contractors can require CMMC immediately because subcontractors work for the prime and not the DoD. CMMC requirements will eventually be a condition of a contract award.
Q: Is “self-assessment” a risk for the contractor concerning both exposure to inefficiencies in their assessment and for the overall protection of CUI (Controlled Unclassified Information)?
A: The CMMC rule (§170.23) states that prime contractors must comply and require subcontractors to comply with CMMC requirements throughout the supply chain. For subcontractors handling only FCI, CMMC Level 1 (Self) is required. For those handling CUI, at least CMMC Level 2 (Self) is required. However, the decision to allow self-assessments will be up to the prime contractor or DoD Program Management Office.
Q: If a contractor has current DoD prime or subcontracts active through FY’25 for recompete in FY’26, and they are not yet CMMC compliant to the assessment level necessary for their requirements, will it be necessary to be certified before implementation of the CMMC program in early-mid 2025?
A: The DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. CMMC is a verification mechanism of existing requirements in DFARS 252.204-7012, primarily NIST SP 800-171.
Q: What is your best advice for small businesses requiring level 2-3 compliance?
A: The best advice I can give small businesses is to first see if they have the DFARS 252.204-7012 clause in their contractual agreement and if they are actively handling CUI. If so, I would begin with implementing the NIST SP 800-171 requirements. If you need consulting or advisory, I highly suggest contacting a trusted provider as soon as possible as most of their calendars are getting booked up into the middle of next year.
As your business looks to move forward with CMMC, we encourage you to reach out to Fernando and his team for assistance and continuous compliance support. Check out their website and schedule your consultation today.