CMMC In 2021: New Steps, Timelines, and Future Outlook

      By: Evan Ahmed  |  Splunk Engineer

Department of Defense (DoD) contractors must remain agile and quickly improve their cybersecurity infrastructure as new developments in the CMMC certification and auditing process are continually rolled out. Staying up to date with the latest Interim Rule requirements remains critical for contractors to remain compliant and successful in their CMMC journey.

The Department of Defense rolled out many critical updates, changes, and cybersecurity requirements for contractors within the last year. Two major developments of CMMC in 2020 include the announcement of the CMMC-AB formation and implementation of the Interim Rule in November. DoD contractors rushed to make necessary changes and improvements to remain compliant and eligible for DoD contracts. However, as we move through 2021 and beyond, there are many changes and developments in CMMC certification that contractors must stay current with.

What is CMMC Certification?

The Cybersecurity Maturity Model Certification, or CMMC, is comprised of universal standards that define uniform steps, policies, and procedures for implementing cybersecurity across the defense industrial base (DIB). In a nutshell, CMMC is developed by the US Department of Defense to keep the critical information/data of the DoD safe as it is disclosed to its contractors. CMMC sets specific cybersecurity standards that all DoD contractors must comply with to be eligible to do business with the DoD. Compliance with these standards enables DoD contractors to effectively protect the critical information/data of DoD and avoid emerging cybersecurity risks.

With the combined efforts of University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry, the first CMMC version was released on January 31, 2020. The latest released version ended the previous practice where DoD contractors were responsible for deploying and maintaining the state-of-art cybersecurity defense mechanisms that protect their assets and the information/data of DoD. With the release of the new version, now the DoD appoints third-party auditors that assess the compliance level and eligibility of contractors to determine whether the deployed practices, procedures, and security parameters set by contractors are compliant with the CMMC security standards. Contractors that fail the third-party audits are not allowed to participate in contract proposals or to do business with the DoD.

CMMC in 2021: What does the future look like?

From a bird’s eye view, the first priority for DoD contractors seems to be improving their security infrastructure. Contractors must conduct thorough security risk assessments: identify security loopholes, develop compact security improvement plans, and report them to the DoD. Completion of the POA&M for contractors remains critical to establish security and maturity.

CMMC Maturity

Moving forward, CMMC maturity will play a dividend role in determining which contractors are deemed eligible for business and are awarded the contracts. Before applying for compliance or certification, it is imperative to have a compact cybersecurity plan in place that facilitates CMMC maturity. With an effective security program, CMMC maturity can be achieved. Reportedly, it may take six to nine months to fully implement a POA&M and achieve full compliance. However, this timeline can change to more than one year if project managers who are responsible for awarding DoD contracts determine that the time spent on developing, maintaining, and improving your security plan is relatively low as compared to the competition. Implementing your POA&M in a timely fashion can help you achieve CMMC maturity faster and will ultimately increase your chances of winning the contracts.

Steps and a Timeline for CMMC in 2021

CMMC Readiness Assessment

One of the most critical and low-cost steps required for compliance with the Interim Rule is the CMMC Readiness Assessment. Most DoD contractors complete this step prior to applying for compliance or certification. However, there are many contractors that lack this assessment. If you are one of those contractors, it is highly recommended that you conduct the assessment and compile key metrics, including your accurate assessment score for SPRS, SSP/POA&M, and recommendations for remediation to implement your POA&M.

Remediation & Maturity in 2021

As mentioned above, CMMC maturity levels will help project managers to shortlist the applicants and choose suitable contractors. As a DoD contractor, you must make an effort to complete your POA&M and gain maturity by having your cybersecurity program in place and running well before you’re audited by DoD third-party assessors. The faster you deploy your security plan and work toward its successful completion, the faster you will achieve a higher CMMC maturity level. Not only it will help you fully implement your POA&M and achieve a perfect score, but it will also help you win more contracts.

CMMC Audits 2021-2025

The DoD is likely to roll out new programs, compliance requirements, and more strict audits. Chances are, if you are already compliant with the latest CMMC certification requirements, any new rollout from the DoD can potentially require you to undergo an audit again to remain compliant and eligible as a DoD contractor. Keeping an eye out for the latest CMMC rules, and requirements can help you achieve faster CMMC implementation of the updates and can lower the risks of non-compliance and potential business loss.

As a DoD contractor, you must strive for long-term cybersecurity agility rather than focusing on only the CMMC certification and compliance requirements. The CMMC requirements can change over time, so ensuring the implementation of state-of-the-art security measures can help you achieve a higher level of cybersecurity and can make it easier for you to also achieve the latest security requirements of CMMC. If you haven’t already, assess your cybersecurity infrastructure, identify gaps, make plans to bridge the security gaps, and implement strict security controls and procedures to achieve higher CMMC maturity and contract winning rate.

Want to learn more about CMMC in 2021 and how you can prepare? Contact us today!