Author: Robert Teague, Director, CMMC Services, CCP/CCA
The release of the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) just before Christmas 2023 to the Federal Register officially starts the public comment period until February 26th, 2024. Federal contractors and subcontractors should review the rule and take steps to fully understand the requirements expected when the rule becomes final. As the first Authorized Certified 3rd Party Assessment Organization (C3PAO) active in Joint Surveillance Voluntary Assessments (JSVAs), one of the many questions we are fielding is the phased approach to CMMC. What does it mean and how will it work?
Under the original CMMC model, there were 15 organizations selected for initial assessments. The first group of Provisional Assessors (PAs) were to assess the 15 organizations, then required to participate in routine After Action Reviews to refine the assessment process. From there, the next set of organizations would be selected for assessment and follow the same process over the next three years. However, this is not the path the new CMMC 2.0 rule will follow. While there is still a phased approach plan, it will not be isolated to a small subset of organizations.
CMMC 2.0, Phase 1
Phase 1 begins on the effective date of the CMMC rule, once finalized. The rule states, “The Department of Defense (DoD) intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award.” This means organizations required to self-assess will be the first organizations that must comply with the rule to bid on new contracts. The rule goes on to state, “The DoD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date.” This means those organizations that are required to self-assess may have to do so for existing contracts, not just the contracts they intend to bid on. Finally, for phase 1, “The DoD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.” So, depending on the contract and the work performed for the DoD, organizations may have to get a Certified 3rd Party Assessment Organization (C3PAO) to perform the assessment, in order to maintain the contract. If you fall into this phase, we recommend you get started now, if you have been waiting.
CMMC 2.0, Phase 2
Phase 2 begins six months following the start of Phase 1. As outlined in the proposed rule: “In addition to Phase 1 requirements, DoD intends to include CMMC Level 2 Certification Assessment all for applicable DoD solicitations and contracts as a condition of contract award.” This means if the rule is final in the summer of 2024, then by the end of the calendar year 2024 CMMC certifications will begin. It is important to note that CMMC Certifications can begin at the time the rule goes final. C3PAO calendars are already filling up, so don’t wait on the phase to start. “The DoD may, at its discretion, delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award.” This will more than likely be a “case-by-case” decision. Here, the DoD is leaving an option for contracting agencies to state whether certification is required at the time of bidding on the contract, or they can institute a conditional award of the contract and allow the DIB contractor a certain timeframe with which to be certified. “The DoD may also, at its discretion, include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.” Again, looks like the DoD is leaving themselves some room to determine what contracts will require the proper CMMC level. While it is still unclear who will require this CMMC level, one thing is clear, to achieve CMMC Level 3 certification, organizations must first complete CMMC Level 2 certification; thus, organizations should not wait!
CMMC 2.0, Phase 3
Phase 3 begins one calendar year following the start of Phase 2. The proposed rule states: “In addition to Phase 1 and 2 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date.” This is one calendar year from the start of phase 1. Again, if the rule is finalized in the summer of 2024, that means by the summer of 2025, CMMC Level 2 certification assessments will be completely underway. The biggest hurdle is the small number of Authorized C3PAOs available to conduct the assessments, but more so is the underwhelming number of Certified CMMC Assessors (CCAs). There is a potential for organizations to wait long periods to get their assessments completed in the allotted time. Additionally, it is outlined in the proposed rule that “The DoD intends to include CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of CMMC Level 3 Certification Assessment to an option period instead of as a condition of contract award.”.
CMMC 2.0, Phase 4
Phase 4 begins one calendar year following the start of phase 3. The proposed rule states: “DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.” If we keep to the assumption that the rule will finalize and ‘go live’ in summer of 2024, then by summer of 2026 CMMC 2.0 certifications will continue full throttle and will now be a contract requirement.
As you read these phases, a trend begins to form that the DoD is serious about third-party vendor management. While the rule appears to have a “slow roll-out” over the next few years, the DoD has made it clear that they can flex the rule when and where they need it, and as soon as they need it. Ultimately, they have the flexibility to apply the rule as a condition to contract award, or to keep a current contract at any time.
The other picture that becomes very clear is that organizations that have indeed waited to comply with CMMC may now very well be behind the power curve. Remember Black Friday shopping? Where hundreds of people were standing at the door waiting for the store to open. As soon as the doors opened, it was a mad rush to get in to find the best deals. With the amount of CCAs available to handle the number of contractor assessments that must be completed, you could very well be looking at a similar rush scenario.
While the phased approach is outlined in the proposed rule, it could change during the public comment period. However, it seems clear that the DoD has no intentions of “stepping back” on its stance of requiring defense contractors to protect sensitive unclassified information in accordance with requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Redspin is the first authorized C3PAO to enter the CMMC ecosystem and has performed numerous assessments under the Joint Surveillance Voluntary Assessment Program (JSVAP). While our calendars are currently filling up, there is still time for you to get in the queue. Contact us today to schedule your CMMC Level 2 certification assessment or risk getting stuck in the crowd waiting to get in the door.
Book a meeting to start your CMMC journey by filling out the form below