Cybersecurity leaders from the Defense Department (DoD) are providing some more clarity on the timeline for implementation of the Cybersecurity Maturity Model Certification (CMMC) program, and said they expect CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023.
DoD plans to complete documentation for the new timeline to submit to the Office of Management and Budget (OMB) for its rulemaking process by July 2022. And it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 – 60 days after the rules are published.
“However, if OMB does not grant us an interim rule, then everything would shift later out by another year. So, it would be March of 2024 before we get to get a final rule. That would mean that you would see it in contracts in May of 2024,” said Stacy Bostjanick, CMMC director for DoD, during a virtual webinar organized by Preveil on June 24.
“Our plan, based on the standing of the CMMC ecosystem, is to do a phased rollout as we had planned for [CMMC 1.0]. It might not work the same way, but that’s all predicated on how we get through rulemaking and how exactly that’s going to look,” Bostjanick added.
In the first portion of this “phased approach” when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment and provide a positive affirmation of compliance. During phase two, solicitations will require either self-assessments or third-party certifications. Which approach is required will depend on the type of information involved and the required certification level.
“The time finally has come for our DoD contractors and suppliers to prepare their information systems for a CMMC assessment if they have not already. Now is time for contractors to consider comprehensive self-assessments, appropriate remediation, and updating any reported cybersecurity scores to ensure they reflect the current system,” said Dave McKeown, Deputy DoD CIO for Cybersecurity and CISO of the agency.
Under CMMC 2.0, contractors will be required to provide an annual affirmation confirming compliance. The assessment will need to be accompanied by an associated affirmation by a senior company official, Bostjanick confirmed.