By Chor-Ching Fan & David Trout

Contractors awaiting an update from the DoD rulemaking process to firm up CMMC requirements recieved some insight into CMMC 2.0 rollout timelines at a recent NDIA cyber event.  CMMC director Stacy Bostjanick hopes that an interim rule supporting CMMC 2.0 objectives passes by May 2023 so that initial CMMC 2.0 requirements start appearing in DoD contracts 60 days later. Rulemaking efforts are going through a dual-track effort which requires updates to Title 32 (National Defense) and Title 48 (Federal Acquisition Regulations System).

Bostjanick acknowledged inquiries from the contractor community regarding waiver scenarios and outlined a process where an acquisition official would have to seek a waiver approval from a service acquisition executive (SAE). “The company that gets the contract is going to have to pursue and close out their CMMC certification. We are thinking the 180-day timeline again and we are going to expect the program and contractor to have some sort of risk mitigation plan for that data while it is exposed because [they] don’t have the CMMC requirements in place.”

Under the proposed CMMC 2.0 requirements,  CMMC level two would support two scenarios:  one without a 3rd party assessment and another where a 3PAO (third party assessment organization) is required where there are DoD contracts with information critical to national security.  To be clear,  Bostjanick said they are going through exercises to enable guidelines and instruction “to the DIB and our program managers to make sure we recognize which CUI is considered not as important as the other.”  Bostjanick expects that CMMC requirements for maturity level will first appear in RFIs (Request for Information) before the release of actual requests for proposals.

Though no promises could be made until rulemaking is complete,  Bostjanick did provide her thoughts on the goal during the interim period: obtaining a three-year certification that goes into effect when a contract is awarded.   While the logistics to make this goal a reality are being sorted,  she said that her team is “encouraging companies to move forward and get that CMMC certification today.”   At the time of writing this post,  there are 12 approved CMMC 3PAO organizations on the CMMC marketplace website.

Even if you plan to apply for a CMMC waiver,  contractors should still take initial actions towards eventual CMMC certification.  Start with a CMMC assessment to know where you stand or tackle CMMC full on so that you’re ready for a CMMC 3PAO audit before your competition.  Either way,  Rizkly is here to help.  Our expert cybersecurity compliance advisors have helped dozens of organization achieve NIST 800-171, FedRAMP and 800-853 compliance success.  The expertise and value that Rizkly’s CMMC advisors bring to your effort are further magnified with our SaaS CMMC compliance tool.  If you’re ready to tackle CMMC and need success without taking your eyes off the core business,  Rizkly can help, contact us.  We’d love to talk and show you how Rizkly makes CMMC v2 compliance easier and less costly.