The recent amendment to 48 CFR, dated August 14th, 2024, offers clarity on the timeline and implementation of Cybersecurity Maturity Model Certification (CMMC) requirements within defence contracts. The rollout will proceed over a three-year phased approach as outlined below:
- Phase 1 (Years 1-3): During the first three years, CMMC requirements will be selectively applied to certain contracts. The inclusion of these requirements for prime contractors will be determined by the respective program office. Subcontractors will need to consult with their primes to identify any CMMC requirements that must be passed down. When included, CMMC obligations will extend to all subcontractors at all tiers if they process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
- Full Implementation: Following the initial three-year period, CMMC compliance will be mandated for all contracts involving FCI or CUI that exceed $10,000.
CMMC 2.0: Timeline for impact
Current projections suggest that CMMC 2.0 will be launched mid-2025, beginning with a self-assessment process for Level 1 and introducing limited requirements at Level 2. Organizations currently subject to FAR (8 CFR 52.204-21) should have already implemented the basic 17 security controls. These organizations will now be required to internally assess their compliance and formally attest to it. Prime contractors are expected to receive Level 2 clauses shortly thereafter, which they must pass down to all subcontractors.
CMMC compliance: Recommended actions
- Engage with Primes and Supply Chain Partners: Determine your contracts involve CUI and, if so, begin preparations for Level 2 compliance immediately. Be vigilant for CMMC-related questionnaires from prime contractors.
- Review Your Self-Assessment Process: Ensure that your self-assessment is thorough and accurate before submitting your attestation to the Department of Defense. Address any gaps now to avoid complications later.
- Plan and Forecast: Evaluate your organization’s current cybersecurity maturity level, investment pace, internal change capacity, and budget cycles. Preparing for CMMC compliance will likely require organizational changes and technological investments.
Cybersecurity Maturity Model Certification: Critical considerations
While self-assessment may appear straightforward, the consequences of inaccuracies can be severe. There have been several high-profile cases where the False Claims Act (FCA) was used to litigate false cyber security declarations, such as the $9 million penalty imposed on Aerojet Rocketdyne Inc, in 2022.
How Malleum Can Help
Malleum offers expert guidance to ensure your organization is fully prepared for CMMC self-assessment. Our impartial analysis will help you submit an accurate attestation and maintain compliance over time. For Level 2, we bring extensive experience in helping organizations across various sectors align with NIST 800-171 standards. Our expertise in implementing robust and effective controls will accelerate your certification process. Should any gaps be identified, we are prepared to assist in designing and implementing the necessary controls.
Looking Ahead
CMMC 2.0 is approaching, and it will have a significant impact on the entire defense supply chain. However, with the right preparation and strategic partner, this challenge can be transformed into an opportunity to enhance your cybersecurity posture and differentiate your organization from the competition.
Are you ready to embark on your CMMC journey? Contact us to discuss how we can help you navigate these new requirements, ensuring your business remains secure and compliant. Your CMMC journey starts here.