Tech Thursday: CMMC Update

Tech Thursday: CMMC Update

We developed a comprehensive overview of the NIST 800-171 security controls that are expected to be the cornerstone of CMMC regulations.

Many small- and medium-sized businesses are anxious about when the new rules will be put into place. Additionally, you may be wondering what you can do now to prepare for the eventual rollout of CMMC and the new contract requirements that will stem from it. This article aims to answer some of these questions for you.

When Will CMMC Be Rolled Out?

Unfortunately, there still isn’t a firm date for when CMMC accreditations will begin to be issued, especially for small businesses operating at CMMC Levels 1-3.

But the implementation of CMMC will be a gradual process. The DoD has stated that they intend to begin the rollout of CMMC requirements for contracts beginning in September 2020. This doesn’t mean that all contracts will have a CMMC level requirement. At that point, it will likely only target large contracts with major contractors, who are expected to already be complying with the equivalent of a high CMMC level.

But as of yet, no organizations or companies have been accredited by the DoD to provide third-party assessments (C3PAO). However, a CMMC Accreditation Body has been established to begin the work of locating and training assessors and auditors for CMMC, so keep an eye out for when the first of those accreditations happen.

What Questions about CMMC Remain Unanswered?

There are many questions that are still up in the air, especially for small companies. Who will provide CMMC training and certification? How much will it cost? What will an assessment look like? When and how will subcontractors be required to comply with CMMC?

As you probably know, it’s a slow-moving process, with many unknowns still. So, CMMC certification for small companies is probably still at least a year out.

What Can I Do Now to Prepare for CMMC?

The expectation continues to be that CMMC will be largely based on NIST Special Publication 800-171 for handling CUI. So if you haven’t already, start taking steps to bring your systems into compliance with those guidelines.

If your contracts already include DFARS 252.204.7012, then you’re already expected to be in compliance with the NIST SP -- there just isn’t a verification method yet. So any steps you can take to comply with those guidelines will ultimately make it easier for you to obtain CMMC certification once it becomes available.

If you need help getting your network into compliance with NIST SP 800-171, E-N Computers can help. Regular audits, milestones and update meetings can help your organization to get moving in the right direction.

Additionally, you may qualify for state assistance for getting your network compliant. Virginia’s Defend CUI is a grant program designed to help small and medium businesses comply with the new CUI requirements and maintain their defense contracts.

Contact E-N Computers today to find out how we can help you get ready for CMMC.