CMMC interim rule published- Four Key Points

DoD’s long-awaited change to its regulation codifying CMMC has arrived! Published two days ago was as an Interim Rule (“Rule”), the CMMC regulation will be effective November 30, 2020 (public comments being accepted until then). Lots of details in the Rule, but we have boiled it down to Four Key Points:

1.      NIST Assessments Required – New DoD contract awards will require companies to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for an award. The Rule notes that “only 36% of contractors demonstrated implementation of all 110 of the NIST SP 800-171 security requirements.” Our experience with clients is the same – companies overwhelmingly have work to do to become NIST compliant, much less CMMC compliant.

2.      Government Audits More Likely – The Rule requires a contractor to provide the Government with access to its facilities, systems, and personnel when necessary to conduct or renew higher-level assessments (see 252.204-7020, NIST SP 800-171 DoD Assessment Requirements). As previously noted, we are anticipating more Government audits and False Claims Act cases as the DoD implements a renewed enforcement of its cybersecurity standards. Expect more audits of your NIST compliance under your current contracts.

3.      CMMC Certificate Codified – The new independent third party certification (not older than 3 years) was codified as a requirements for contractors (see 252.204-7021 Cybersecurity Maturity Model Certification Requirement, not to be confused with DFARS clause 252.204-7012). Although long anticipated (since 2019), the Rule makes the certification “official.”

4.      Estimated Cost Assumptions – The Rule details estimated costs (which are fairly significant) for small businesses to achieve their desired/required CMMC level. Importantly, however, the Rule assumes in those estimated costs that companies are already compliant with the 15 basic safeguarding requirements under FAR clause 52.204-21 for CMMC Level 1 or the 110 existing NIST SP 800-171 requirements for CMMC Level 3. As noted in #1 above, most organizations haven’t achieved the baseline requirements. Therefore, not only will organizations need to budget for the CMMC costs noted in the Rule, but they will need to budget for NIST compliance as well.

Bottom Line – A lot to digest with the Rule, but the key takeaway is that while CMMC implementation will certainly impact future RFI/RFP’s in accordance with the phased rollout schedule, it is critical for contractors to ensure adherence to the 110 requirements from NIST SP 800-171 as specified in existing DFARS 252.204-7012 contractual obligations.

Please contact us if you have any questions about what this means for your organization. Also, since it is 2021 budget season for many of us, let us know if you would like assistance in creating a budget to handle NIST and CMMC compliance. Turning cybersecurity into a competitive advantage, and not a headache, is possible with these new rules.