Update: The timeline for when CMMC will be officially published has been altered over the past year. In 2022, the original plan was to see CMMC wording included in contracts by May of 2023. However, as of July 24th, 2023, the proposed CMMC rule has been sent to the Office of Management and Budget where they will have 90 days to review and send it back for changes. If approved, the rule will enter into a public comment period. This means that CMMC may be finalized in Q1 of 2025.
Earlier this month hundreds of cybersecurity experts gathered in San Francisco for the 2022 RSA conference to discuss the current state of cybersecurity. Some of the biggest takeaways from the conference include updates regarding CMMC 2.0 and its timeline. For those unaware the CMMC is a framework that provides standardized controls and processes for manufacturers and organizations contracted by the Department of Defense(DoD) and working within the Defense Industrial Base(DIB). Read below to learn about some of the biggest CMMC takeaways from RSAC 2022.
The DoD will begin instituting continuous assessments of CMMC-compliant organizations. Once an organization submits a self-attestation questionnaire regarding CMMC compliance they will be subject to the monitoring of open-source channels by the Department of Defense through 3rd parties and internal resources. This monitoring will confirm whether or not the organization's attestation is reflective of their current security posture. If their actual security controls contradict the applicable level of certification they could lose their contract.
Here are three CMMC takeaways from RSAC 2022:
- The second takeaway is in regards to who will be required to comply with CMMC certification. The DoD has clarified that organizations in possession of FCI(Federal Contract Information) will only be required to comply with maturity level 1. Any Controlled Classified Information(CUI) will automatically require businesses to be compliant with maturity level 2. The Federal contracting officer and prime contractor can specify applicable maturity level 3 requirements ad-hoc.
- In order to discourage organizations from submitting false attestations the Federal Claims Act(FCA) has been brought forward as a solution. The DoD will offer up to 30% reward of any contracts awarded in which the awardee failed to exercise and implement the required security controls.
- Last, but certainly not least we have an updated timeline of when organizations can expect CMMC 2.0 to be implemented. The current date the DoD is aiming for is May of 2023. CMMC 2.0 regulations should begin appearing in contracts roughly 30 days after in July 2023.
These CMMC takeaways from RSAC 2022 will continue to evolve. CorpInfoTech will help you stay on top of the latest CMMC information with our blogs and social media.
CorpInfoTech can help your organization establish and maintain CMMC compliance. Our unique assessment methodology allows for mapping between most common control frameworks including those required by DoD and numerous regulatory agencies, including PCI and HIPPA.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.