Is the CMMC Certification Process Finally Starting to Gain Momentum?

Key Takeaways from the July 2022 Cyber AB Town Hall

If you listened to the Cyber AB town hall on July 26, 2022, you likely got the impression that the DoD’s CMMC program is gaining momentum. Although the Department of Defense (DoD) is still in the CMMC rule making process, the current schedule would have the Final Rule being published in March 2023. Publishing kicks off a 60-day comment period, concluding with the rule going into effect in May 2023.

Signs of Momentum in CMMC Certifications

In addition to the rule making schedule taking shape, there are other tangible signs that the CMMC program is moving forward:

• Voluntary assessments are finally going to commence. There are currently four Organizations Seeking Certification (OSCs) that are scheduled to start with their assessments in late August. Because CMMC rulemaking is not complete and therefore not a lawful requirement, the voluntary assessments are being performed under the authority of the DoD’s Joint Surveillance Program. Under this program, the CMMC Third-Party Assessment Organization (C3PAO) will conduct the assessment in coordination with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a DoD organization. OSCs that pass the assessment will be provided with a CMMC Level 2 Certification once the Final Rule goes into effect, assuming there are no changes in the assessment requirements between the completion of the voluntary assessments and the issuance of the Final Rule. The OSC’s Level 2 Certification will then be good for three years.
• The Cyber AB recently released a pre-decisional draft of the CMMC Assessment Process (the “CAP”). The Cyber AB has spoken about the importance of the CAP in providing consistency in how C3PAOs perform assessments. So its release is a key step in getting that process going. The Cyber AB provided a 30-day public comment period on the CAP. Comments can be submitted to CAPcomments@cyberab.org.
• The DoD issued a Memo in July 2022 emphasizing to Contracting Officers the need to enforce DFARS 252.204.7012, which requires defense contractors to implement NIST SP 800-171. It further states that the Contracting Officer must confirm that the contractor has a score in the DoD’s Supplier Performance Risk System (SPRS) prior to award of a new contract, contract extension, contract modification, task order, etc.
• The DIBCAC has begun reviewing certain Defense Industrial Base (DIB) companies’ scores in SPRS. DoD has indicated that many of these reviews have identified significant discrepancies between the DIB companies’ self-assessment scoring and the DIBCAC’s scoring. As you might expect, these discrepancies are one-sided where the DIB companies are being excessively generous with their own scores. This can be a big concern for DIB companies because the Department of Justice (DoJ) has launched its Cyber-Fraud Initiative where it plans to utilize the False Claims Act to pursue government contractors for cybersecurity related fraud that includes knowingly misrepresenting cybersecurity practices, i.e., knowingly submitting inaccurate self-assessment scores into the SPRS system.
• We are hearing from subcontractors that primes are starting to request subcontractors to provide evidence of SSPs and NIST SP 800-171 assessment results.

CMMC Assessment Preparation Timing

Although there is no guarantee that Final Rule will be approved in March 2023, it is clear that DoD and the Cyber AB are pressing forward. Given that it will take most contractors 6-12 months to get ready for a CMMC assessment, contractors would be wise to start scoping, performing informal gap assessments, and addressing known weaknesses. As the fog in the regulatory landscape clears, OSCs should monitor DoD and Cyber AB publications for additional guidance. Once the Final Rule is approved, OSCs will need to move quickly get started with their CMMC assessment activities. Otherwise, they could risk not being able to bid on future contracts.

I continue to find value in attending the CMMC town hall meetings. It is interesting to hear the progress that is being made with the CMMC ecosystem, as well as hearing questions/concerns that are being raised and how they are being addressed. There is still a long road ahead, which aligns with the effective date for all DoD contract awards after FY25.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.