by Scott Dawson, President and Co-Founder, Core Business Solutions, Inc

If you contract with the Department of Defense (DoD), you’ve probably experienced some confusion over the last few years. In 2019, the DoD announced its new cybersecurity requirements for contractors–the Cybersecurity Maturity Model Certification (CMMC). Since then, the rollout has faced revisions and delays, leaving many contractors unsure of the future. But now the DoD has announced a publication date for the final version of CMMC: March 2023. The DoD has also outlined a new schedule for the rollout of requirements to contractors.

Refresher: What is CMMC 2.0?

America’s adversaries know it’s easier to exfiltrate information from defense contractors than from the DoD itself. The DoD has strict cyber protections in place for its own systems. But often, its contractors and subcontractors have fewer defenses. Bad actors can hack contractors to steal valuable information–such as Controlled Unclassified Information (CUI)–and in some cases piece together entire designs or plans. To prevent such attacks, the DoD introduced stricter cybersecurity requirements for all contractors. CMMC will require many contractors to prove their cybersecurity compliance with an official third-party assessment certification. All DoD contractors will need to certify to some version of the model.

CMMC Rollout

According to DoD, the final rule for CMMC 2.0 should be published in March 2023, presuming the government’s rule-making process goes as planned. At that point, a 60-day comment period will ensue. Later in 2023, if things stay on schedule, formal CMMC certification requirements will officially begin appearing in defense contracts. This will mean that a full CMMC certification will become mandatory in order to be awarded a contract that includes this requirement. It will take three years for CMMC to reach all defense contracts, with a target date of October 1, 2025 for the complete rollout. As a DoD contractor, your first step is to determine what type of information you are handling and which level of CMMC you must meet to keep your contracts.

Side Note: DoD Compliance & Opportunity Forums are scheduled on March 21 (Erie) and March 22 (Kersey). The program will feature lunchtime keynote speaker Kelley Kiernan, Chief Technology Officer/Blue Cyber Director, Department of Navy SBIR/STTR) and also panelists of Prime Contractors sharing their perspectives on cybersecurity logistics. See all
the details and register at www.nwirc.org/cmmc.