How it all started
One cool and brisk evening on the shores of the American Northeast on April 18th, 1775, a “spotter” saw something very disturbing through his portable telescope. The spotter immediately jumped on his horse and rode through town, yelling, “The CMMC is coming! The CMMC is coming!” Patriots of the American Colonies immediately woke up and began securing their home networks, crafting policies and procedures with quills and indigo ink.
Then without warning or hint of preview, a pounding on the doors of these same homes occurred, “BANG BANG BANG.” Then as the homeowners opened their doors, they were met by Nazis demanding, “PAPERS PLEASE!”.
Okay, so it didn’t really happen like that.
So back in 2019, the Cybersecurity Maturity Model Certification (CMMC) framework was introduced and codified as Version 1.0 shortly thereafter. Subsequently, an interim rule was released that amended the Defense Federal Acquisition Regulations Supplement that required three new items that included a formal scoring methodology for the Supplier Performance Risk System (SPRS), allowing the Government access to the Government Contractor’s (GovCon) facilities (even if they did not have a facility clearance), and requiring CMMC in all future contracts.
Then CNN, Fox News, and MSNBC reported mass suicides of GovCon business owners as the implied obligations were construed as strenuous and burdensome; rather than evaluating how to conform to the new requirements, they took their own lives in a bitter fit of depression.
Okay, that too also didn’t really happen like that.
What did happen was the GovCon industry pushed back really hard on these new requirements, and subsequently, the U.S. Government yielded and reduced the scope of what would have been required in the CMMC 1.0 assessment activities.
Then CMMC 2.0 was launched in December of 2021 but not before the U.S. Justice Department launched the Civil Cyber Fraud Division in October of 2021. This is important to pay attention to because while GovCons that were very concerned about an estimated $3,500.00 cost for an independent certification were pleased that they could continue to self-attest, these same GovCons are failing to recognize the importance of accurately self-certifying (i.e. potential false claims act by Justice Department).
In a recent webinar where DoD CISO Mr. David McKeown indicated the DoD anticipated roughly 80,000 GovCons will require C3PAO assessments and about 120,000 will be able to self-certify.
For firms that will have to be independently assessed, they will have to use one of the approved Certified Third-Party Assessing Organizations (C3PAOs). As of the date of this piece, there are a total of 13 approved C3PAOs. Yet oddly enough, information supports that these 13 are not having their phones ring off the hook due to demand. The data supports quite the opposite.
Many GovCon business owners are taking the position of, “Yeah, CMMC 2.0 exists, but the Government says to look at 9-24 months for formal ratification. I’m waiting to see if this even actually happens.”
So if we look at the timeline, that would put CMMC 2.0 ratified on or around September 2022-November 2023. Most looked at the Government’s past track record with CMMC, and looked at a target implementation date of late 2023. Then information in April supported that a new interim rule would be codified in May of 2023, a full six months ahead of the end run date. Then on May 9th, Ms. Stacy Bostjanick, Chief of Implementation Policy for DoD stated that the Government now anticipates March of 2023.
Time is not on your side
This gives firms a year to ratchet up and get ready, right? True, but with caveats. So, let’s break down some further timetables. If CMMC 2.0 is fully ratified by interim rule in March, then there is a strong chance that Requests for Information (RFI) will appear with these requirements implied for future Requests for Proposals (RFPs). Historically, this is about six months from RFI to RFP and sometimes longer.
In the following image, SoundWay depicts levels of effort matched against regulatory implementation timelines. If GovCon owners continue to wait-and-see game, they will not take action until an actual document stating “shall” or “must” is issued by the Government. If an RFI is released in May of 2023 and the GovCon begins the process towards conformance, unfortunately, it is already too late.
Regardless of what snake oil is being pitched for “CMMC Compliance in 30 Days”, this is merely marketing and not plausible. The amount of time it will take to create a fully mature System Security Plan is generally weeks, if not months, to execute.
Subsequently, you will have to create Plans of Actions and Milestones (POAMs) for each Security Control within NIST SP:800-171 as “not met,” including “Objectives”. Keep in mind that security controls, also known as “security practices,” cannot have a POAM if the security practice has a scoring evaluation of 5 for SPRS consideration.
So let’s “presume” that a GovCon has everything necessary to be considered for a C3PAO assessment. The GovCon will most certainly shop the engagement for best price as costs to date have been unusually high due to the limited number of Provisional Assessors. By the time that activity has commenced and then subsequently terms are met, you have a few more months that have passed. Why? Because of supply and demand. At this stage of the timeline, you are not the only one trying to become certified – take a number and get in line.
Now that the assessment has begun, you have to allocate a multi-week or multi-month window (dependent of supply/demand) for scoping considerations, pre-assessment readiness by the C3PAO, and scheduling of the commencement of the assessment, including onsite activities. By the time this all transpires, you are looking at approximately 12 months from start to finish.
It is important to note that with CMMC 2.0, you must have your certification to bid on an RFP when CMMC requirements are implied.
While it may seem premature to allocate budget towards conforming a year off, it is important to weigh the risk factor of no longer being able to engage in work with the Defense Department. By starting now, you afford your company the option to leverage less resources with more time. An example may include starting a SSP in June and ending in October of this year. At least with this approach, you are now more than five months ahead of the crucible.
SoundWay has prepared a checklist that can help you adequately prepare for CMMC 2.0.
If you are a business with under 500 employees, you likely do not have a dedicated cyber person to meet the necessary requirements for separation of duties under 3.1.4 of NIST SP:800-171.
To meet this requirement, you need to ensure that:
- The duties of individuals requiring separation are defined.
- Responsibilities for duties that require separation are assigned to separate individuals.
- Access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
SoundWay can assist you with this requirement with our Separation of Duties service offering.
To schedule a free consultative session with one of our experts, please contact us at CMMC@soundwayconsulting.com or call us at (571) 210-0624