Since last summer, the Cybersecurity Maturity Model Certification (CMMC) and the impact that it will have on businesses large and small has been weighing heavily in the minds of anyone doing business with the DoD. Although many businesses and organizations have been shut down or have had to re-evaluate their projects and deadlines during the COVID-19 pandemic, the Office of the Under Secretary of Defense for Acquisition & Sustainment has been hard at work making sure that everything is still on track for their rollout of the CMMC model this summer. Since version 1.2 of the CMMC dropped in mid-March, there have been a number of new developments in the world of Cybersecurity in the DoD.
CMMC Updates from Katie Arrington
In a recent webinar, Katie Arrington (CISO, Office of the Assistant SECDEF, Acquisition), Wayne Boline (Director, CMMC Accreditation Body), representatives of Carnegie Mellon University, and other industry leaders presented new information on the CMMC process that will be of great importance to DoD contractors and other members of the Defense Industrial Base Sector (DIB).
Among the webinar’s main highlights are these interesting pieces of information provided by Katie Arrington:
- There will be “Pathfinder” RFIs including CMMC language issued in June, with RFPs going out in November.
- CMMC certificates will only be required at time of award for RFPs that have CMMC language; this should allow companies to go ahead and bid on RFPs coming out in November.
- Existing contracts won’t be modified to add in CMMC requirements (i.e. current contracts will not have CMMC requirements specifically added to them).
- Note that even if a contract doesn’t explicitly contain CMMC language, contractors are still currently bound by the requirements of the associated DFARs Clause 252.204-7012.
- Approximately 285,000 contractors will require a Level 1 certification.
- The certification will be good for three years.
In addition to Ms. Arrington’s comments, Wayne Boline stated that the Accreditation Body for CMMC is still working on establishing itself. It currently consists of a volunteer board of directors, and it is pending recognition as a 501(c)(3) nonprofit. The organization does not expect to receive any funding from the DoD, and is “exploring several funding options.” Mr. Boline also made it clear that “There are no CMMC-AB approved C3PAOs or Assessors at this time,” and that the CMMC-AB is still working on defining standards in order to certify assessors.
CMMC AB Released an RFP for a “continuous monitoring solution”
On April 22nd, 2020 the CMMC Accreditation Body (AB) released an RFP for a continuous monitoring solution on LinkedIn, stating that they were “looking to partner with industry to provide us and the CMMC program this capability.” The anticipated selection date for the proposal was May 8th by 1:00pm US Eastern Daylight time, although no decisions have been made public by the Accreditation Body at this time.
CMMC AB Releases a First Look at C3PAO Program Enrollment, Requirements, And Fee Structure
On Sunday, May 10th, the CMMC-AB released drafts of the fee structures and required costs associated with becoming a Certified Third-Party Assessment Organization (C3PAO). Some sample forms can be found in an article on LinkedIn. The Accreditation Body has said that these drafts aren’t finalized yet, so we (the public) should view these drafts as incomplete because “the information is not accurate. In a couple of weeks, it will be, and we’ll be pushing out an email to alert everyone”.
Mission Multiplier is committed to providing our customers with the most reliable and most up to date information possible, so we’re closely tracking all CMMC related updates. Whether you or your company needs help preparing for the upcoming CMMC rollout or safeguarding your business during the COVID-19 pandemic, we’re here to help in any way that we can. Please reach out to us with any questions or concerns and we’d be more than happy to assist you with any of your cybersecurity needs