The Cybersecurity Maturity Model Certification (CMMC) is a cornerstone of Department of Defense (DOD) supply-chain security efforts, but it is still a work in progress. The goal of protecting controlled unclassified information (CUI) that resides in the data networks of the Defense Industrial Base (DIB) is indisputable. One challenge is how to assess and certify implementation of required security practices at scale, while another is avoiding bureaucratic roadblocks and pricing hurdles that could limit small and medium-sized businesses from successfully conforming to the CMMC standard.
After a pause and a reboot last fall, the CMMC office moved to the DOD CIO’s organization, the number of CMMC levels and practices were reduced, and the opportunity to do self-attestation at Level 1 was introduced. A proposed revised CMMC rule was submitted to the Office of Management and Budget in late summer of this year, and an interim rule is expected by March 2023, followed by a 60 day public comment period. Language requiring CMMC certification could be in contracts starting in May 2023.
In the meantime, there are opportunities for all parties to get ahead of the game and engage in CMMC by completing self-assessments. We have the tools and an affordable means to conduct, track and manager your self-assessment for all 110 controls. Email us at gordon.bruce@gjbandassociates.com for more information on our offerings.