By: Tom Cupples, Ed.D., CISSP, CGRC, PMP, CAICO-PI, CCP, CCA, Sec+, Net+, Security Controls Assessor & Senior Cybersecurity Trainer at CISO Global, Inc.
On December 26, 2023, the Office of Information and Regulatory Affairs (OIRA) released the 234-page Cybersecurity Maturity Model Certification (CMMC) proposed rule, available at https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program, and its documentation, available at https://dodcio.defense.gov/CMMC/Documentation/. This kicked off a 60-day public request for comments. The final rule is expected to be released in early March 2024, and some industry experts expect it to go into effect as late as Q1 of 2025.
Although 2025 may seem far off, the reality is that CMMC is no longer on the distant horizon; it is knocking on our door. The time is NOW for companies to take proactive measures to ensure they can continue doing business in the Defense Industrial Base (DIB) once the rule goes into full effect. If a company waits until Q1 2025, it will have less than a year to become certified by a Certified Third-Party Assessment Organization (C3PAO) before DIB companies are required by code to fully comply with CMMC. January 1, 2026, is the deadline for a company to be certified to receive a contract. However, the proposed rule suggests that some contracts may not be solicited with compliance requirements until October 1, 2026.
The CyberAB and its ecosystem are training and certifying Assessors and Third-Party Assessment Organizations. However, given the current small number of CMMC Certified Assessors (CCAs) and C3PAOs, and the large number of companies that will need to be assessed, companies that delay compliance until the rule is in full effect will be faced with a long wait for available CCAs and C3PAOs. This could prevent DIB companies from gaining lucrative DoD contracts and result in opportunity loss.
DIB companies that do not know where to begin to prepare for CMMC should start with a CMMC gap assessment using a qualified third-party assessor. This gap assessment will provide an in-depth review of their system to determine whether they meet CMMC requirements and, if necessary, partner with them to plan and implement needed remediations.
CISO Global is experienced in performing compliance gap assessments and providing services to help organizations bridge the gap, including implementing CMMC controls and training employees in CMMC requirements. CISO Global also serves as a CyberAB Licensed Training Provider (LTP), preparing assessors to pass the exams necessary to become CyberAB CMMC Certified Assessors (CCAs) and CMMC Certified Professionals (CCPs).
For more information about CMMC, visit https://dodcio.defense.gov/CMMC/Assessments. My blogs on CMMC offer some background on the program: Why is CMMC a Big Deal? and CMMC 2.0 Preparation: Top Four Strategic Actions to Take Now.