The CMMC countdown has begun. Are you ready for CUI compliance?

Introduction

The digitalization wave is the latest focus for enterprise IT modernization. While it offers enormous opportunities it also creates great challenges. As organizations hasten to digitalize, they often neglect sufficient cybersecurity leaving them vulnerable to cyberattacks and data theft.

According to the latest IBM report, the global average cost of a data breach in 2023 was $4.45 million. Every day adversaries launch malicious attacks on business infrastructures to disrupt or obtain sensitive data.

The largest target for such malicious attacks is the US Department of Defense and its supply chain, also known as the Defense Industrial Base (DIB).

Recent estimates put the annual losses in the US due to cyber theft at over $600 billion. To protect the DIB, the CISA (Cybersecurity and Infrastructure Security Agency) has issued warnings to promote and ensure vigilant cybersecurity practices.

One such practice is to ensure that Controlled Unclassified Information (CUI) is protected against unauthorized dissemination. To prevent unauthorized access to sensitive data, the DoD has created an assessment program called “Cybersecurity Maturity Model Certification” (CMMC) to verify the DIB compliance with NIST SP 800-171.

CMMC 2.0

The CMMC Model was introduced in 2020 to verify protection of sensitive information, especially CUI documents, which are shared between the DoD and its DIB suppliers. To learn more about CUI read our earlier blog on this topic.

The CMMC framework now requires third-party assessors to examine, interview, and test evidence of controls equipped to protect sensitive information. CMMC 2.0 ensures that DIB contractors protect CUI, FCI (Federal Contract Information), etc. to an appropriate level. If they fail to meet the requirements, these contractors may not only lose contract revenue but also opportunities to bid for new contracts.

What are the Updates to CMMC Rule Making?

CMMC will be released to DIB in Q1 of 2025 via a phased rollout. Prime contractors are expected to be CMMC compliant on or before Q1 2025 regardless of the phased rollout. According to estimates, the CMMC process and certification will take 21-27 months on average. Therefore, every company dealing with the DIB must start their CMMC compliance journey in Q3 2023, that is, NOW

Let's take a quick look at the 7 things you need to know about the CMMC Rule Making updates.

1. The DoD has officially submitted the CMMC rule for regulatory review which begins the countdown toward official publication – Since the DoD has officially submitted the rule (Sept 2023), the rest of the process associated with it is already set in motion. There is very little time left for organizations dealing with DoD to ensure CMMC compliance. There is sufficient detail available to plan your security designs, as future changes are likely to be minor.
2. CMMC should be reviewed and published in late October 2023 – After receiving the CMMC rule, the OIRA (part of the Office of Management and Budget) has 90 days to either approve or send the rule back for revisions. The OIRA takes approximately 66 business days to complete its review which means the expected publication of the rule is in late October 2023.
3. There will be a 60-day public comment period ending in December 2023 – A 60-day comment period is standard for all federal rules and CMMC is no exception. The comment period will begin the day the rule is published in the Federal Register. Once the comment period closes the final Rule will be published. The expected comment period is between October - December 2023.
4. CMMC should be finalized and begin showing up in contracts in Q1 2025 – The CMMC rule will be either an interim rule or a proposed rule. The interim final rule is effective before an agency responds to public comments in a 'final rule'. The proposed rule is effective after an agency responds to public comments in a final rule.
5. There will be a 3-year phased rollout for CMMC contract clauses – Whether the CMMC rule is published as an Interim rule or proposed rule the DoD will insert DFARS 252-204-7021 into groups of contracts in a phased manner over 3 years. If we assume that the rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028. This means that many DIB suppliers and subcontractors will be pressured to be ready as soon as possible once the rule is final.
6. According to the DoD, the CMMC rule is done but it will not say anything now – The DoD is unable to publish anything about the rule-making process until the OIRA review process is complete.
7. Implementation of cyber requirements now takes longer than rulemaking – A 50-100 employee company operating with the DoD supply chain will approximately take 12-18 months to go to assessment ready. With the DoD submitting the CMMC rule to OIRA, the rule will become effective within 10-21 months. Companies who wait for the official announcement to begin their implementation will lose out time.

Conclusion

The DoD’s CMMC program is entering its final phase with the submission of rulemaking to implement the program. It is under review at OIRA, and this body has 90 days to review the rule. With the inherent time lags in applying security changes, very little time is left for DIB companies to become CMMC compliant. You should start the process NOW.

REFERENCES:Summit 7 BlogsCost of a Data Breach Report 2023CISA CMMC 2.0 Program