CMMC’s Upcoming Cliff

by Brandon Graves, Partner

  • News Insights
Share

CMMC began development back in 2019.  Final implementation has been just around the corner for almost that long; long enough that many have tuned it out.  The end is finally in sight, however, and government contractors may find less help available than they need.

On June 27th, the Department of Defense finished its review of the CMMC proposed rule, sending it to OIRA as a final review.  That means we should see a published rule in October.  In addition, NIST just published the latest revision to SP 800-171, which underlies CMMC.  This means that some of (many of) the technical requirements changed.  The DOD is working to get more companies certified to provide assessments, which is a slow process that has been disrupted by the many changes in the requirements.  The federal government is also in the midst of a significant change in overall cybersecurity and supply chain security requirements.

When the final rule is published, expect a lot of noise.  Primes are already pushing subs to get certified, and this behavior will increase once solicitations actually include CMMC (sometime in 2025, most likely).  Consultants are pushing solutions, many of which are not actually solutions; companies should beware.

What companies will find is that there are not enough properly certified assessment organizations available to meet demand.  This is especially true for organizations that are not in a position now to meet CMMC obligations; they will spend months doing remediation, leaving them even less time for an assessment.  The DOD’s position is that everyone should already be in position to meet CMMC requirements due to the existing SP 800-171 obligations in the current DFARS, so there will be little consideration of companies not at this standard.

It is almost certain that someone reading this post works for a company that will miss opportunities because they cannot comply with CMMC.  Don’t be that company.  If you have any questions around what your CMMC obligations are or how best to reach them, please contact us while you still have time to make any adjustments.