Blog

Is CMMC still on track? 5 things DoD contractors need to know

The short answer? Yes, it is.

Despite the coronavirus pandemic, The Department of Defense has remained on schedule with the original plan to tighten cybersecurity regulations across their 300,000+ contractor base.

It’s crucial, now more than ever, that DoD contractors learn about the CMMC regulations and the timeline for rolling them out, the steps to become compliant, and how these new policies will affect the ability to win federal contracts.

Here are 5 things DoD contractors should know about the progress with CMMC

1. The CMMC accreditation body is in place

The CMMC Advisory Board (CMMC-AB) is a non-profit organization that has been established to provide program details for Certified Third Party Assessor Organizations (C3PAOs), RPOs, and credentialed roles that support them: Certified Professionals, Certified Assessors, and Registered Practitioners.

Certified Professionals and Certified Assessors are trained and tested to provide certified assessments and constative services to Organizations Seeking Certification (OSCs). Click here for additional details.

Registered Practitioners are authorized to use CMMC-AB branding in the course of providing non-certified services to OSCs. Click here for additional details.

Details related to Licensed Instructors will be released over the coming months.

2. DoD has selected the first ten RFIs that must adhere to CMMC requirements

The first ten Requests for Information (RFIs) that will include CMMC cybersecurity requirements are slated to appear between the end of July and early August with the first contract awards scheduled for early 2021 – less than 6 months away!

While DoD plans to have CMMC requirements in all new RFIs by 2025 – this is largely due to the fact that DoD will not modify existing (outside of extenuating circumstances) contracts. This helps accommodate the timeline for the general five-year DoD contract cycle (one base plus four option years).

New contracts will likely need to adhere to the new requirements much sooner than 2025 – and contractors that have compliance will have the opportunity to win Federal business and those who do not comply, will not. 

3. The CMMC-AB has started training C3PAOs.

The CMMC-AB has already begun training Certified Third Party Assessor Organizations C3PAOs. These organizations will manage the contractor assessment process and provide CMMC compliance certification for the DIB.

4. C3PAO-conducted CMMC Certification will be mandatory but will also be an allowable cost built into DoD contracts.

 All DIB companies must contract a Certified Third-Party Assessor Organization to evaluate and award CMMC compliance. To alleviate the burden this places on contractors, the expense of this assessment and certification will be an allowable cost built into DoD contracts.

5. There is one delay: the date of the public hearing to change to the Defense Federal Acquisition Regulation (DFAR)

One of the final steps before CMMC becomes official is a change to the Defense Federal Acquisition Regulation (DFAR). This change requires a public hearing which, due to the coronavirus pandemic, is postponed until September 2020.

Is CMMC still on track?

Yes – and DoD contractors need to be prepared to meet the regulations, or risk missing out on new Federal contracts.

To learn more about CMMC and which solutions you should implement to achieve compliance, download our whitepaper.

Sources:

Security Boulevard

Office of the Under Secretary of Defense for Acquisition & Sustainment

CMMC AB

Emma Furlong