The regulatory environment is continuously evolving, and many firms struggle to stay up. Obtaining and ensuring compliance, on the other hand, is crucial for retaining profitable agreements and growing into growing sectors. One of the most difficult difficulties for firms working with the Department of Defense is reaching the appropriate adherence level of the cybersecurity maturity model certification (CMMC).
Although the CMMC guidelines are still in the works, DoD contractors must stay ahead if they want to preserve their supplier relations. In addition, unlike popular assumptions, CMMC is still on schedule, regardless of the current pandemic’s setbacks. Corporations should concentrate on three key goals:
- DFARS compliance.
- Completion of action plans and objectives.
- Preparation to satisfy the standards for the chosen CMMC level.
Seeking help from CMMC government contracting professionals can help DoD contractors achieve compliance.
Getting ready for a third-party evaluation
The requirement for third-party evaluations is the most important aspect of CMMC legislation. Before receiving a certification indicating their capacity to achieve a specified maturity level, every DoD vendor will need to undergo an examination. Nevertheless, the CMMC Accreditation Body, which is now governed by a board of volunteers who are not affiliated with the Department of Defense, is still a young institution. The first evaluators’ preparation began in late August, so it’ll be a considerable time before getting a third-party evaluation becomes a legal requirement.
The initial set of evaluations, on the other hand, will use preliminary evaluators to evaluate the system. These practice tests will not include any certificates. By 2025, nevertheless, all DoD acquisitions will have to fulfill CMMC criteria. That may seem like a long way off, but there’s no question that the first set of assessments will be in great demand. After all, the DoD supply chain is made up of more than 300,000 firms. Official audits are not expected until the DFARS vs CMMC guidelines are established.
The DFARS regulation for CMMC has been updated.
The procurement office recommended an adjustment to DFARS 252.204-7012, which governs the release of restricted, confidential emails in August (CUI). This contract regulation applies to the bulk of DoD contractors and presently requires a high degree of cybersecurity maturity. The change is planned to replace the NIST SP 800-171 edition’s 110 checks with the CMMC’s 1-to-5-level methodology.
Once this modification is accepted, it will mark the beginning of the official implementation of the CMMC mandate for all DoD contractors. The change will soon be available for public comment. Following the release, there will be a 60-day time for input to be collected and integrated and any revisions to the CMMC laws and procedures to be implemented. After then, it will be released in its finished shape before taking effect 30 days later. This still has a good probability of happening well before the end of year.
What about COVID-19’s potential for causing delays?
Because of the ongoing epidemic, the implementation of CMMC regulations has had to be postponed. While the modest delay gives contractors more time to prepare, there are still fears that enormous backlogs might hinder the audit and accreditation process, which will require on-site inspections. On the other hand, the NDIA has declared that CMMC is still one of their top goals.