Regardless of the published status of the CMMC rule, companies looking to become compliant should begin their security and compliance journey in Q1 of 2023. As the video below highlights, it takes a company an average of 12-18 months to complete the 7 Steps of CMMC.
Despite the recent public claims that DoD is “delaying” rulemaking regarding CMMC, this blog, video clip below, and full-length video at the bottom of this blog detail that the opposite is true for contractors in the DoD supply chain. In this video, we'll walk through the details of CMMC rulemaking in order to help companies make better strategic decisions regarding their cybersecurity compliance obligations.
Rather than focusing on the various rulemaking scenarios possibly in store for CMMC, contractors should carefully consider how long it takes to fully implement their NIST SP 800-171 requirements and how NIST’s revision to these existing requirements can complicate their implementation timeline, regardless of the status of the CMMC rule. This post will highlight the key takeaways from the video and when you need to be CMMC compliant.
- Contractors should start their security and compliance journey now to avoid potential additional requirements from NIST 800-171
- There are two rulemaking scenarios for CMMC
- CMMC early adopters are unlikely to be affected by NIST 800-171 rev 3 under a CMMC Interim Final Rule
Starting with NIST 800-171 Requirements
DFARS 7012 and other existing DFARS requirements state that organizations must implement the requirements in NIST SP 800-171, a requirement that is detailed in the full version of the video at the bottom of this blog.
In the Summer of 2022, NIST announced over the next 18 months they were planning to revise NIST SP 800-171. Later that year NIST announced they planned to release an initial draft of SP 800-171, Revision 3 in late Spring 2023.
This becomes important for anyone that has yet to implement NIST 800-171, meaning they will likely take on more controls associated with the newly revised version. CMMC early adopters that are ready for assessments now are unlikely to be affected by the updates from NIST under an interim final rule scenario.
Two Rulemaking Scenarios for CMMC
If the DoD submits the CMMC program rule by February 2023, then the rule should be published around May 2023. In our review of the 328 times the DoD has submitted a rule for regulatory review (detailed in the full video), the average time that the Office of Management and Budget (OMB) goes from rule submission to rule publication is 66 days. Why is this important? It shows that an extension of the CMMC rule is extremely rare, and we can make an assumption that the CMMC rule will be announced 66 days from January 2023.
Scenario One: Proposed Rule “NPRM”
The CMMC program rule would go into effect after DoD adjudicates and responds to public comments via the publication of a final rule in the Federal Register. Proposed rules are the standard, normal, routine, slow approach to “notice and comment” on rulemaking.
Scenario Two: Interim Final Rule “IFR”
DoD has consistently pursued an interim final rule. The CMMC program rule would become effective before DoD adjudicates and responds to public comments via a final rule (i.e., immediately).
This Takes a Long Time For Companies To Implement
In most cases, a NIST SP 800-171 implementation (CMMC Level 2) for 50-100 person companies averages 12-18 months; most companies are over a year behind given the potential interim final rule scenario.
For a contractor to be ready for rule publication in May 2023, they needed to begin implementation in Q4 of 2021 - when CMMC 2.0 was originally announced. Additionally, to be ready for an IFR scenario, companies needed to begin implementation in Q1 2022.
In the event of a proposed rule scenario, companies need to begin implementation in Q1 2023.
Next Steps
Organizations should be determining their required level of CMMC, if they have not already done so, as well as reaching out to partners that specialize in security and compliance requirements for companies in the Defense Industrial Base.
Frequently Asked Questions Around CMMC:
- Is CMMC finalized?
- No - but as the blog denotes, organizations should be preparing for their assessments right now.
- No - but as the blog denotes, organizations should be preparing for their assessments right now.
- How long does it take to get CMMC compliant?
- It could take organizations anywhere from 12-18 months from start to finish
- It could take organizations anywhere from 12-18 months from start to finish
- How do I know if I need to be CMMC compliant?
- Check your existing contract requirements to determine your appropriate level of CMMC
- If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant
What Do Contractors Need To Know About CMMC Rulemaking in 2023?
Here is the full-length video on an in-depth understanding of CMMC Rulemaking in 2023.