July 26, 2023
Breaking News: the CMMC rule is coming!
On Monday, the CMMC rule moved to the Office of Management and Budget. They have 90 days to review before publication, so we should get to see it by late October. There will follow a 60 day period for public comment. And then what?
(1) If the rule is published as an interim final rule, it will become effective immediately. In this scenario, the CMMC clause could start showing up in contracts this year. Although this is what the DoD is hoping for, most people don't think this will happen.
(2) The more likely scenario is that the rule is published as a proposed final rule. In this case, it will become effective after the DoD has responded to public comments (and perhaps tweaked the rule just a bit). According to a great analysis by Jacob Horne on LinkedIn, based on the average time for past DoD rules, we can expect the final rule to be published in late 2024 or very early 2025, becoming effective immediately upon publication.
What does this mean for your implementation timeline? If Jacob's analysis is correct, we can expect to see the CMMC clause in contracts in April 2025 at the very latest. That's a maximum of 20 months from now. Since the average time for an organization to fully implement NIST 800-171 and be prepared for an official assessment is 18 months (and then, only when the necessary resources are dedicated), it will be difficult to achieve CMMC certification before the CMMC rule becomes effective unless you are pretty far along in your compliance journey at this time.
The DoD has stated that they expect a phased implementation with a 3-year rollout, so the clause won't start showing up in every contract right away. What is this going to look like? No one knows exactly. With flowdown, this becomes complicated. If a prime receives an early contract with the CMMC clause, they have to flow it down to their subs, which means subs working on the contract will need CMMC certification at that time.
Final takeaway: I know a lot of people have been waiting for the final rule to come out to "get serious" about their CMMC compliance program. Well, this is your heads-up! If you wait until actual publication, you will be three months farther behind.
Need help? You know where to find me!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the CMMC and Resources tabs. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass, CCP
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!