The Cybersecurity Maturity Model Certification (CMMC) has had its timetable updated. If you either currently work with the federal government, or you’re hoping to apply as a contractor, it’s important that you know when CMMC assessments are due, and how much time that gives you to make the necessary improvements. If you don’t work with the federal government, this cybersecurity framework is still highly recommended as the best means of protecting your sensitive information. Read on to learn how this certification has changed, and what to expect in the coming months. But first, if you’re entirely new to the CMMC program, we’ll provide a brief overview of what it’s all about.
What Is CMMC?
The purpose of CMMC is to provide a checklist of best practices that any organization can implement to ensure adequate data security. It’s only required by law for government contractors, but it stands as the optimal model for any organization looking for the best ways to improve cyber defense. We wouldn’t be surprised if it eventually becomes the standard for many industries — especially healthcare, which is the “costliest industry for data breaches,” according to Healthcare Dive.
The original version, now known as CMMC 1.0, was comprised of five maturity levels that were each divided into a specific number of practices (technical activities) and processes (procedural activities). Companies needed third-party audits to verify they had achieved the required practices and processes for each level.
Then, almost a year ago, the Department of Defense (DoD) released its updates to the program with CMMC 2.0. The purpose of these changes was two-fold: offer a streamlined pathway to cyber resilience that was also more affordable for smaller businesses to implement. The original five maturity levels were consolidated into three — Foundational, Advanced, and Expert — as were the parameters under each. Self-assessments were permitted for contractors that wanted to achieve Foundational status, as this level didn’t pertain to controlled unclassified information (CUI) or high value assets (HVA). The other two levels still required third-party audits.
When we last reported on CMMC 2.0, we noted that the DoD was still finalizing this rulemaking, and offered tips on how to plan for its eventual completion. The expectation was that it would take nine to 24 months. Now, indications are that March of next year will be when interim final rules go into effect.
The DoD’s Phased Approach to CMMC 2.0
According to MCAA, CMMC 2.0 will be released in a phased approach.
Interim final rules are expected to be issued in March of 2023, followed by a 60-day comment period where companies can read and provide feedback. May will then see the start of Phase 1, where companies must conduct self-assessments and provide positive affirmations of their compliance. Phase 2, which is still to be determined, will involve the submission of self-assessments or third-party certifications, depending on the type of CUI and required certification level as outlined above.
Although some anticipated the final CMMC ruling could be delayed as late as 2025, we don’t recommend that you make plans based on this prediction.
MCAA also notes that “third-party CMMC certifications will be good for three years,” DoD contractors must submit annual affirmations that confirm their compliance, contractors’ certifications will be stored at the DoD for validation purposes only (without making detailed results public), and self-assessments for CMMC Levels 1 and 2 are required each year.
Now Is the Time to Plan
There’s one piece of advice we’d give any organization that wants to prepare for CMMC: don’t wait. Take the appropriate steps now to identify and implement changes needed to meet these deadlines and obtain CMMC certificates.
We mention this for a few reasons.
First, these changes won’t be achievable overnight, much less in a week. They take time to evaluate, and often require purchasing hardware, software, or cloud-based solutions. That also requires data migration, restructuring, and oversight.
Second, any new technology that you’ll need to add will inherently require training — either for your in-house team, or for new hires to fill additional positions. That requires time to get your current team members up to speed, and to interview the best available candidates.
Third, don’t underestimate the costs involved. You may find that these implementations will take longer based on what you can afford for the remainder of this year, and what you’ve already allocated for 2023.
HCRS Can Prepare You for Certification
The specific changes you’ll need to make will require a thorough evaluation. HCRS can guide your team on those cybersecurity requirements so that you’re in the best available position for CMMC assessments. As a Registered Provider Organization (RPO), we can’t perform any audits or grant certification, but we can offer industry expertise to ensure that you’re ready.
If you’d like to discuss what such an evaluation would entail, we’d be happy to share our process for identifying security controls and preparing a CMMC framework. Contact us today to learn more.
You can also find additional information regarding CMMC by visiting the DoD’s website for Acquisition & Sustainment through the Office of the Under Secretary of Defense.