A NON-Official Update on Where CMMC (Cybersecurity Maturity Model Certification) Seems to be as of Today

A NON-Official Update on Where CMMC (Cybersecurity Maturity Model Certification) Seems to be as of Today

Now that we are well into 2021, many of you may be starting to wonder more about CMMC certification and what it entails. I thought I would write a series of blogs that might help you better understand the CMMC process. This will serve as the first in this series of blogs.

As many of you know, CMMC came about when the Department of Defense realized that simply letting contractors self-attest that they are meeting DFARS (Defense Federal Acquisitions Regulation Supplement) requirements was not adequate for securing our nation's data. Many failed to reach full compliance and others had never even started the process. So, the CMMC was created to do away with the ability to “self-attest'' you are meeting compliance and enforces validation by certified third parties before a contract can be awarded. 

As of today, all auditors from the CMMC AB board are provisional. There are no actual certified assessors ready to perform an audit to the general contracting public during this provisional phase. There are plans to have the first batch of CA-3 (What is a CA-3 auditor?) by late summer or the early fall of 2021, but at times it does seem to be a moving target. There are many individuals who have taken the Registered Practitioner test like myself, but that designation can only help you prepare for an actual audit.

Over the next 5 years the requirement to meet CMMC conditions within DOD (Department of Defense) contracts will continue to roll out. This process has fallen behind a bit due to the details that have needed to be worked out through the training and accreditation processes, Covid 19 slowdowns and the sheer size of this undertaking that will affect over 300,000 government contractors. Although a little behind at this point, the government still intends on including the CMMC requirements using  a phased approach.

  • 15 contracts by the end of 2021 affecting approximately 1,500 contractors
  • 17 contracts by the end of 2022 affecting approximately 7,500 contractors
  • 250 contracts by the end of 2023 affecting approximately 25,000 contractors
  • 479 contracts by the end of 2024 affecting approximately 47,905 contractors
  • 479 contracts by the end of 2025 affecting approximately 47,805 contractors

Because you will not know which contracts will have the requirement or when the requirement will be needed. Most are recognizing this and pushing for compliance now (is the right move). 

I could be wrong, and hope I am, but based on everything that I am hearing and seeing actual Certified Auditors will not be available to audit the masses until Q4 2021 or Q1 of 2022. To be clear this is not official guidance from CMMC, simply my guess based on what I am hearing and math. If you are thinking of waiting until the last possible moment before getting your house in order do not, as it could be a costly mistake. CMMC auditors will be taught to review your policies and procedures, to ensure that you have a culture built around compliance of  control. Culture is a factor of time, so you need to have these items in place for a while before your CMMC certification rolls around.

F1 is working with clients now to get them ready for their third party CMMC level audits from a qualified Certified Third-Party Organization. Please contact us for more information or help with your CMMC certification.

What you should be doing to achieve CMMC level 3 compliance 

F1 Solutions: https://www.f1networks.com/

Jennifer VanderWier/CISO


Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here