There has been much discussion around the Cybersecurity Maturity Model Certification (CMMC) and if it is going away. This topic can prove to be confusing, and we want to help. Let’s break down the current view of the CMMC program and what is happening.
First, let’s start by stating a big point: It is highly unlikely that CMMC will go away, but it isn’t stopping executive leadership at many organizations from wishful thinking that it will. Dating back to 2010 Executive Order 13556 gave birth to changes in FISMA, dropping of “Recommended” in NIST SP 800-53 in Revision 4, to the initial release of NIST SP 800-171 Revision 1 in 2016. That’s a lot of time and technology changes from the introduction of the iPad, IBM Watson, Microsoft Azure, 4G, and Instagram. Unfortunately, requirements and guidance have a hard time keeping up with its counterpart of time and technology.
With the advent of modern cloud computing quickly becoming the norm for organizations, the challenge became and continues to be taking existing requirements and guidance and applying it to current technology in use. Those of you in compliance know the dilemma well. Why make this observation first before talking about if CMMC is going away? To stress the importance of the complexities of the technology in use today and making sure it is complying with the requirements and guidance that often leaves those trying to comply scratching their heads to figure it out. It is a challenge, but unfortunately it is one that is not going away. The Department of Defense realized it is a real challenge based on the amount of controlled unclassified information that was making its way into the hands of adversaries and other countries and decided to have a way to validate that contractor were following the NIST SP 800-171 guidance. This came in the form of the introduction of the DFARS Interim Final Rule introducing 252.204-7019, 252.204-7020, and 252.204-7021. The DFARS 252.204-7019 and the 7021 are where we will focus on for this topic.
Under the DFARS 252.204-7019, it states that the “Offeror” shall verify that a score of a contractors NIST SP 800-171 assessment was submitted into the Supplier Performance Risk System (SPRS) and must be no older than 3 years, unless a lesser time is specified in the solicitation. Great, so what does that mean? It codifies the already existing DFARS 252.204-7012 into an actionable time frame. The best way to relate this is to think of a little kid wanting to play with a new shiny toy. The parent asks the child if they completed their homework and the child claims “yes”. The parent then asks to see the child’s homework prior to allowing playing with the toy. If no completed homework can be produced, then no toy will be played with or in the case of CMMC compliance, no contract will be awarded.
DFARS 252.204-7021 introduces the requirements of CMMC. We won’t get into the whole Level 1 & 2 differences here, but we will get into some key points that you should pay attention to. This DFARS clause puts CMMC on the roadmap with a phased in approach from the DoD up until September 30, 2025, with all contracts requiring CMMC on or after October 1, 2025. Where does it state this, you ask? Pop over to the Subpart 204-7503 for a look. The subpart does not necessarily mean that there will be CMMC requirements in contracts, but merely gives the DoD the option to put CMMC requirements into contracts once approved by the Office of the Under Secretary of Defense Acquisition & Sustainment (OUSD A&S).
At this point, contractors should stop and question themselves on why they are waiting to do something over at least making sure they’re aligning to NIST 800-171 and creating policies and procedures that are expected to be in place as defined in Appendix E under the Non-Federal Organizations (NFO). If there were plans of shelving the CMMC program, then why would the DoD’s CIO office take over ownership of the CMMC website from the OUSD A&S? CMMC is likely not going to go away but certain language in the DFARS will be changed, at least when it comes to ownership of who grants approvals in the subpart. Outside of the ownership change area, your guess is as good as mine, and only when the interim final becomes final will we have a definitive answer.
In closing, contractors still need to adhere to NIST 800-171 requirements, and still need to submit a score up to the SPRS at least once every year.
Contact us today to discuss how we are assisting the DIB with preparing to become CMMC compliant as a Microsoft Gold Partner and GCC/GCC High and Azure Commercial & Government experts.
More Info
For additional information on CMMC preparation, contact us at info@ktlsolutions.com. KTL Solutions is a CMMC Registered Provider Organization with CMMC-RP’s on staff to assist you.