Prior to the COVID pandemic, the US Government had been planning a rollout of the Cybersecurity Maturity Model Certification, commonly called CMMC. CMMC defines the next generation of compliance requirements for those in contact with and in control of data or information considered controlled but unclassified. Known as CUI, or controlled unclassified information, this type of information requires specialized IT safeguards as a condition of contracting under several Federal government entities, including the Department of Defense (DoD). Information that can be classified as CUI can widely vary, ranging from procedures in assembling certain items to the specifics of a switch used on a defensive missile system…or many things in between.
(Note: CMMC is closely related to NIST 800-171. You may read more about these compliance families in this blog post from last year.)
As a Managed Service Provider interested in the timeline of the CMMC rollout, we have had some issue with properly preparing companies that will need to be CMMC compliant. Part of the issue with forward movement in several of these cases has to do with the inconsistency of the messaging—or simply the lack of messaging at all—coming from the various cybersecurity authorities. Indeed, timelines have been pushed back with little hard evidence to suggest when bids would no longer be accepted without CMMC compliance requirements satisfied.
In a YouTube video for Summit 7 Systems, Chief Security Evangelist Jacob Horne discusses the progress of the CMMC timeline. He estimates that Spring to Summer 2023 will be the point at which companies that fall under CMMC compliance requirements will start seeing the more stringent standards reflected in contract bid requests. He bases this prediction on current status of the cybersecurity rules and time required for Federal agencies to review and satisfy various bureaucratic requirements.
Calling this an instability, Horne suggests that because the DoD has indeed begun the slow process of codification with Office of Management and Budget, the CMMC requirements are likely now established–I.e., those requirements have become much more stable. This satisfies a large hurdle for many companies in moving forward with CMMC compliance preparations.
This is primarily due to the slow nature of the codification which necessitates little movement after submission. Horne predicts that any major changes to CMMC 2.0 from 1.2, in fact, are already made. Early adopters, now free from major changes in Horne’s view, will benefit from having a leg-up on competition that will still need to make IT improvements in a short amount of time to remain competitive.
If your business falls under NIST 800-171 or CMMC compliance requirements, give our security experts a call or CONTACT US for help!