It’s Time For Your Wakeup Call: CMMC is Almost Here!

Category

Compliance, News, CMMC

Risk Level

 

The long-awaited 48 CFR Proposed Rule is here: what does it say and what does it mean for CMMC implementation?

CMMC has been on the horizon for years, lurking in the distance and often thought of as a “tomorrow” problem. With the publication of the proposed rule to amend DFARS 252.204-7021, let this be a wake up call: CMMC is coming - and it’s coming quickly.

“What does this proposed rule mean for CMMC?”

Earlier this year, we released an article about the DoD’s CMMC Implementation Plan that outlined the different CMMC Levels, self-assessment vs. certification, and the overall timeline for CMMC. In short, as soon as the proposed rule released August 15th is finalized, DFARS 252.204-7021 will be revised and the CMMC program requirements will begin. The proposed rule will still have several hurdles to get through between the end of the public comment period and publication of the final rule, but the launch of CMMC is still on track for early FY2025.

“What will my company be required to do under the proposed rule?”

The proposed rule outlines several new requirements for contractors seeking to work with the DoD:

  • You must have the required CMMC level and assessment type (or higher) at the time of contract award. If the solicitation says you need a CMMC Level 2 certification, this means you need to have been assessed by a C3PAO and achieve certification.

  • Results of self-assessments or certifications must be entered into SPRS so DoD can verify that all systems in performance of the contract have met the CMMC level requirements.

    • To support this, SPRS will issue DoD UIDs for each assessed system. You will have to provide the UID(s) to the contracting officer prior to contract award.

  • You must maintain the appropriate CMMC level throughout the life of the contract. This means conducting annual self-assessments for level one, annual affirmations of continuous compliance with security requirements for all CMMC levels, and an assessment every three years by a C3PAO for level two or DIBCAC for level three.

  • If you plan to change what systems are used in the course of the contract, they must be assessed at the appropriate level, entered into SPRS, and the new UIDs need to be presented to the contracting officer before you start using that system.

  • Primes must flow down the appropriate requirements to suppliers and subcontractors, using the applicable DFARS 252.204-7021 language in the contract agreements.

    • You must also verify the subcontractors have the appropriate CMMC level requirements entered into SPRS before awarding them a contract.

  • You must notify the contracting office within 72 hours if there are any lapses in information security or changes in the status of your CMMC certificate or self-assessment during contract performance.

“How will I know what level and assessment type I need?”

The proposed rule also establishes requirements for contracting officers to explicitly state in the solicitation whether the contract requires CMMC Level 1 self-assessment, CMMC Level 2 self-assessment, CMMC Level 2 certification, or CMMC Level 3 certification. With this requirement, it will be very clear what you will need to do to be eligible for contract award.

“How can I make sure I’m ready for CMMC?”

If you already have a contract with the government, talk to your contracting officer to get an idea of what your applicable CMMC level might be. If you already know you plan to work with CUI, make sure you are implementing all the NIST 800-171 revision 2 requirements on whatever systems you will use to perform contracts for DoD. Whether you will be required to do a self-assessment or certification, you can engage a third party - like Hive Systems - to help you perform a CMMC Readiness assessment, giving you plenty of opportunity to remediate gaps before a C3PAO assessment or contract award. If you already have CMMC controls in place and think you’re ready for an assessment now, you can engage a C3PAO to see if you’re eligible to participate in the Joint Surveillance Voluntary Assessment Program - a joint assessment with the C3PAO and DIBCAC that will translate into a CMMC Level 2 certification once CMMC is in place.

The deadline for CMMC compliance is rapidly approaching. If you need help understanding the requirements for your anticipated CMMC level, operationalizing the controls in your organization’s unique environment, or documenting your SSP, Hive Systems has Certified CMMC Assessors who can help! Download our CMMC Level 2 SSP template and contact us today.


 

Follow us - stay ahead.

Previous
Previous

A Farewell to the JAB

Next
Next

BEWARE: Job scams are on the rise!