Here in summary are 3 new realities we must face in the next few years due to these new CMMC announcements:
Bifurcation Is Dead, Back to Third Party Audits
Last November when CMMC was drastically re-organized, we were introduced to the word “Bifurcation”. Who the heck knew what that was? After we all stopped to look it, we discovered that the DoD in conjunction with CMMC was going to divide out CUI into categories. Most of the DIB was said to be able to self-audit and some “special” CUI audited by authorized third parties.
Shocker… the government could not figure out how to achieve bifurcation. There were just too many questions like what types of CUI would need to have 3rd party, how would they delineate it, what was the timeline for this clarity, etc.
No Self Auditing
It was announced this past Friday at the DoD town hall that all CUI is important and that they will not categorize it differently. You know what that means, every DoD government contractor that processes, stores, or transmits CUI will have to have a qualified third-party assessment by a C3PAO organization and appropriately credentialed auditors. So those of you that were excited about being able to audit yourself and self-attest under Level 2 CMMC 2.0 are now sorely disappointed.
The rule making period which will legally and fully adopt CMMC as the guiding program to follow in contracts moving forward should complete between an estimated 9-24 months. This means several hundred thousand DoD contractors and their included support vendors have that long to get third party assessed. What could go wrong with that? (Sarcasm intended)
CMMC Auditor Shortage
There is a severe shortage of auditors in the US (forget the small number of certified auditors). IT and Cyber Security are understaffed by about 2 million people and that’s before we mandated this. I have no doubt that within 24 months this CMMC language with its requirements will be in contracts. I just have serious doubts of how everyone lines up to the trough to get fed (audited) in the meantime. F1 has partnered with 4 well know Cyber Security Firms that are all going for these certifications and designations. We serve businesses in our hometown of Huntsville AL and agencies across the US. We will help you through this.
Stay tuned for more CMMC fun facts!