The Cybersecurity Maturity Model Certification (CMMC) has been a hot topic in the federal and defense contracting sector leading up to and since its formal release with v1.0 on January 31, 2020. The details around the implementation of CMMC are rapidly evolving – from the formalization of the CMMC Accreditation Body (CMMC-AB), to guidance on maintaining compliance with the current DFARS 252.204-7012 and NIST SP 800-171 mandates while also ramping up to CMMC Levels 1-5, to understanding when contractors must have CMMC fully implemented, to timelines for when certified third-party assessment organizations (C3PAOs) will be credentialed to perform assessments.
Organizations undoubtedly want to be proactive in their preparation for CMMC and certification for any contract requirements. Because of the evolving landscape and the many unknowns of CMMC, the industry has expressed increased anxiety about achieving CMMC certification right now.
Here at Schellman, we have closely followed CMMC through its draft iterations and formally published versions, attended in-person and web-based symposiums, and have spoken with many clients about their plans and concerns with CMMC. Our biggest takeaway for organizations? Don’t panic! The timeline is not as near as it may seem (think 2021 and beyond) and organizations may be closer to compliant than they realize.
We published a whitepaper titled Panicked about CMMC? Here’s why you shouldn’t be., which details the phased roll-out of CMMC, timelines in play, comparisons to DFARS 252.204-7012 and NIST SP 800-171, and responses to common questions.
Note: CMMC v1.02 was released on March 18, 2020. This version update included minor changes to formatting, spelling, control references, and references to FIPS 140-3. No material changes to the CMMC were made. The changes are detailed in the CMMC Errata.
About the AuthorMore Content by Schellman & Company