Last week, the CMMC Final Rule (known as CFR 32) was released from OIRA, meaning no more changes can be made.
Since CFR 32 is considered a Major Rule, it will next undergo a Congressional review of up to 60 days, after which it becomes law. Any inaction by Congress results in it becoming law. The only way for changes to be made is for both houses of Congress & the President to overturn the Rule.
For defense contractors handling CUI, know that CMMC is here. If you have been waiting, this is your confirmation to get started.
The CMMC rule is on target to become law in Q4 and enter into contracts in early 2025. It requires contractors to prove CMMC compliance as of the time of award.
It also requires contracting officers to verify that the results of CMMC compliance are posted in the Supplier Performance Risk System (SPRS).
Note that DFARS 7012/ DFARS 7020 mandates that defense contractors pass CMMC requirements onto their subcontractors. This means even subcontractors must be CMMC compliant to be part of defense contracts.
CMMC will be phased in over 3 years, but it’s impossible to know which contracts will be subject to the requirements until they’re released, at which point it’ll be too late to become compliant. If you’re a defense contractor, the only way to ensure you can maintain your current contracts & win new ones is by completing a CMMC assessment.
CFR 32 is the rule that defines the CMMC program and enables CMMC assessments to begin. Until now, assessments have been conducted jointly by CMMC 3rd Party Assessor Organizations (C3PAOs) and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the JSVA (Joint Surveillance Voluntary Assessment) program. Once CFR 32 passes Congress, JSVAs will end and C3PAO assessments will begin. DIBCAC will continue to conduct C3PAO, CMMC Level 3, and DIBCAC High Assessments.
While the Cyber-AB still needs to release the CMMC Assessment Process (CAP) before assessments can begin, industry experts believe we should expect C3PAO assessments by mid-November. Many defense contractors have already lined up these C3PAO assessments and those who have not should do so soon because the C3PAO pool is limited and waiting lists are growing.
If you’re a defense contractor, you need to decide if you wish to be part of the Defense Industrial Base ecosystem. If you choose to “wait it out” and see what happens with CMMC, you are effectively canceling the possibility of winning any contracts with the CMMC clause for at least 12 months – that’s how long it takes for a typical DIB company to prepare for and complete a CMMC certification. Note that this includes contracts on which you’re a subcontractor, since Primes are required to flowdown these CMMC requirements.
Waiting will only cost you time, money, and lost revenue. Some C3PAOs already have multi-year waiting lists.
Alternatively, getting CMMC compliant now will grant you a competitive advantage when bidding on DoD and Prime contracts.
Fundamentally, we are at what Intel founder Andy Grove called a “strategic inflection point” in CMMC. If you wish to win DoD work, then you need to get CMMC compliant. Failure to achieve compliance means choosing to be a spectator to the industry’s growth.
If your organization wishes to stay in the Defense Industrial Base, then you will need to become CMMC compliant. PreVeil can help.
PreVeil is used by over 1,200 defense contractors and provides a comprehensive solution to expedite CMMC compliance. It includes:
PreVeil supports 102/ 110 NIST 800-171 controls and walks you through how to meet the remaining controls. Our proven solution has been used by over 10 defense contractors and C3PAOs to achieve perfect 110 scores in tough DoD assessments.
To get the latest CMMC updates & learn how PreVeil can help, simply reach out to our team.
…. or schedule a free 15 minute compliance consult with our team.
The post The CMMC Rule is Final! appeared first on PreVeil.
*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP. Read the original post at: https://www.preveil.com/blog/cfr-32-cmmc-rule-is-final/