The Department of Defense is looking for an interim rule for its Cybersecurity Maturity Model Certification program in May 2023 which means CMMC rules might start to be included in contracts during the summer of 2023.
The rule is expected to be available for public comment in March 2023, and DOD officials say CMMC might start to be included in contracts as soon as summer of 2023.
The implication to DoD suppliers, is the timing has become much more urgent. It typically can take 6 months to a year to build the compliance systems, gather documentation and remediate compliance short comings in an IT system. To comply with CMMC 2.0, suppliers must be able to show they are securing Controlled Unclassified Information (CUI). Currently, suppliers can work toward NIST 800-171 which can take about a year to become into compliance. So the time to start working toward compliance is now.
According to Stacy Bostjanick, director of CMMC policy at DOD’s Office of the Under Secretary of Defense for Acquisition and Sustainment, “Our anticipation is that we will be allowed to have another interim rule like we did last time, we’re hoping that that interim rule will go into effect by May [2023],” she explained.
Bostjanick also noted that CMMC 2.0 will undergo its first tabletop exercises in June or July 2022 to test out the new updates and receive feedback from members of the Defense Industrial Base.
Let Tech Guardian guide your company through the CMMC 2.0 compliance process. Please call us for a 15 minute initial phone consultation at 951-319-4080.
