On December 26th 2023 the DoD (Department of Defense) dropped a slightly belated Christmas gift on defense contractors and vendors in the form of big changes to the CMMC (Cybersecurity Maturity Model Certification) program.
Whether the timing of the info dump was intentional or not remains a matter of debate but what’s not up for debate is that these changes are now the law of the land when it comes to reaching your CMMC goals (at least until they’re possibly challenged in court but we wouldn’t hold our breath on that). If you have not started working on them yet this is your sign to get started ASAP.
The 234-page document covered a variety of updates to the program, including splitting up tier 2 into self-attestation OR requiring contractors and vendors to obtain a third-party audit, but for those actively working on it we’re happy to say the controls themselves remain unchanged.
The vast majority of contractors (63% as estimated by the DoD) will still fall under CMMC Level 1 but a new change will not allow these contractors to submit a POA&M (Plan of Action and Milestones) to comply with unmet milestones going forward.
For contractors falling under Level 2 and 3 they can still submit a POA&M but while it previously allowed contractors to set their own timing for completing the actions required the new rules state all POA&M must have a plan for completion within 180 days of the initial assessment.
This is a huge change and will make it very difficult for contractors who are trying to rush to get their accreditation to comply with existing contracts. There are also new limitations on POA&Ms and some controls don’t allow them to be completed under a POA&M at all.
DoD contractors and vendors will have to rethink their entire plan for coming into compliance with CMMC this year.
The good news is that if you do meet all of the new hurdles and pass your assessment you will be in the clear for 3 years.
For those in the CMMC level 2 category (an estimated 37% of those affected) whether or not you can still self-attest in SPURs (Supplier Performance Risk System) or will need a third-party assessment is dependent entirely on whether the CUI (Controlled Unclassified Information) found in your contract warrants one or the other as determined by the DoD.
As these rules are still rolling out Level 2 contracts will most likely be required to self-attest to start until the program gains its footing when we’ll start to see more required to take on a third-party assessment. Contractors should be prepared either way as they perform the actions needed to qualify for certification.
There’s good news for Level 3 contractors in that not much has changed for them, and the program overall is still based on guidance from NIST SP 800-172. New language was added that CMMC Level 3 contractors must maintain a perfect Level 2 score in addition to achieving 20 out of 24 points to meet the qualifications for Level 3. Only a small minority of contractors will need to worry about achieving Level 3 and we have no doubt those that qualify know who they are and were already well prepared for this news.
The proposed roll out of these changes and CMMC as a whole is under a phased implementation window that will expand across a three-year period. Beginning with the DoD looking at those soliciting new DoD contracts to have a Level 1 or Level 2 self-attested score all the way up to the inclusion of CMMC in all new and existing contracts by year three.
It should also be noted that those who misrepresent their level of readiness under the CMMC program can face some pretty sharp penalties for doing so.
To add salt to the wounds the DoD have given themselves a grace period up to 2027 to begin rolling out these changes within their own organization - rules for thee but not for me? Perhaps a little bit.
These weren’t the only changes to be announced in December, if you would like to see and read the full 234-page document yourself you can find it here.
Either way the time to get your ducks in a row was several years ago (CMMC 2.0 was released in 2021) but short of inventing a time machine to do so the second best time to start is now.
Valley Techlogic has worked with clients on readiness for a variety of cybersecurity compliance frameworks including but not limited to CMMC, HIPAA, NIST, CIS and more. If you would like to learn more about how we can help you meet your CMMC goals, reach out today.
Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://twitter.com/valleytechlogic.
You must be logged in to post a comment.