January 4, 2024
On December 26, 2023, the Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule for a 60-day comment period.
The DoD wants the defense industrial base (DIB) to increase its overall cybersecurity posture as cyber threats grow exponentially. To ensure improvement, the DoD has published a new proposed rule, CMMC. The CMMC proposed rule is closely modeled after NIST 800-171 and contains three levels of compliance.
The DoD expects all contracts to contain CMMC requirements by October 1, 2026. However, it will enable its program managers to include CMMC requirements in contracts before that date.
For companies who must pass a third-party assessment, the DoD expects it could take about two years to become certified. Factors include, but are not limited to:
It’s expected that most companies in the DIB will need to meet Level 1 or Level 2. In the proposed rule, the DoD provided cost estimates for companies striving for each level. Note that for Levels 1 and 2, they did not include costs for implementing security measures or performing remediation activities. They assume that a company meets all requirements but still needs to undergo the certification process. Some cybersecurity experts have said the DoD’s estimates are low, and that they don’t include certain key cost drivers.
Many organizations will seek help from CMMC-qualified resources during their compliance journey, including from Registered Practitioner Organizations (RPOs) certified by the Cyber Accreditation Board.
RPOs and CMMC Third-Party Assessment Organizations (C3PAOs) play a critical role in the CMMC compliance process. Engaging with an RPO or C3PAO for a pre-assessment, sometimes called a “gap analysis” or “readiness assessment,” is essential for organizations to gauge their readiness for the official CMMC assessment. Read our November blog for more information about pre-assessments.
Download our CMMC Guide and schedule a consultation with our CMMC Registered Practitioners today to kickstart your journey towards compliance. Time is of the essence — let’s build a robust cybersecurity foundation for your enterprise.
Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 26 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses.