CMMC Final Rule Is Here-What You Need To Know
CMMC is finally here! It’s been quite a journey since CMMC 1.0 was first announced back in January 2020. Now, almost five years later, there have been many important changes, and we’ve kept you updated along the way. As we get closer to the official rollout, we wanted to highlight some key points to help you navigate CMMC.- Effective Date: The CMMC rule goes into effect on December 16th. This is when Organizations Seeking Assessment (OSA) can start scheduling and receiving their CMMC Level 2 Assessment.
- Self-Attestation: Organizations seeking Level 1 certification, and in some cases Level 2, will be able to self-attest to meeting the necessary requirements. But keep in mind, self-certifying means you’re personally responsible for confirming the accuracy of the information you submit.
- Phased Rollout: The DoD plans to roll out CMMC certification requirements in four stages. This helps the defense industrial base (DIB) go through the process without overwhelming the C3PAOs (Certified Third-Party Assessment Organizations). However, it’s up to the contracting officers to decide when primes need to ensure their subcontractors meet CMMC requirements.
- Prime Responsibility: Prime contractors are responsible for making sure their subcontractors are compliant with CMMC at the time of contract award. They need to ensure that the CMMC requirements flow down to their subs.
- External Service Providers (ESPs): Technically, ESPs don’t need to meet CMMC Level 2 requirements if they don’t transmit or store CUI (Controlled Unclassified Information). However, the services they provide to an Organization Seeking Assessment (OSA) may still be evaluated during the assessment.
- Understand the CMMC Levels: Familiarize yourself with the different CMMC levels and their specific requirements. Or, work with someone who understands the process and can guide you. This will help you figure out which level your organization needs to achieve.
- Conduct a Gap Analysis: Perform a gap analysis to see where your current cybersecurity practices fall short of the CMMC requirements. This helps prioritize what needs to be addressed. You can also have an outside party conduct a readiness assessment to make sure you’re fully prepared.
- Develop a Compliance Plan: Create a plan detailing the steps your organization will take to meet CMMC requirements. Make sure to include timelines, responsible parties, and the resources you’ll need.
- Implement Security Controls: Ensure all necessary security controls are in place and functioning effectively. This includes technical measures like encryption and access controls, as well as policies and procedures.
- Regular Training and Awareness: Hold regular training sessions to make sure employees understand their role in maintaining cybersecurity. Awareness programs can prevent common security mistakes.
- Continuous Monitoring and Improvement: Set up a process for continuous monitoring and improvement of your cybersecurity practices. Regular audits and assessments will help you stay compliant and address new threats as they arise.
At Summit, we have been involved in CMMC since its inception, and we have a lot of experience preparing companies for these new requirements. We hold certifications across the board and can help get your organization where it needs to be. If you’d like to set up a no-obligation-meeting to discuss our preparation process, you can click here to schedule time on my calendar or click the button below for our contact form.