As a Registered Practitioner Organization (RPO), Tego stays up-to-date on the changing guidance surrounding CMMC. We attend periodic CyberAB Town Hall meetings and leverage our extensive network of compliance professionals to learn more about the changes that impact the CMMC compliance process.
Here are a few updates from the latest Town Hall meeting:
- It is more important for contractors that have implemented 171 to go for a Joint Surveillance Voluntary Assessment (JSVA). The assessment requires 80% compliance to pass, with a 4-year validity for CMMC certification.
- Utilizing an RPO is still a recommended course of action to prepare for a JVSA and CMMC compliance.
- There will be a phased approach once rule-making is complete; not all contracts and recompetes will require CMMC immediately.
- DoD rule-making is still slated to be complete by May. Once complete, it has to be sent to the Office of Information and Regulatory Affairs (OIRA), who will typically review it within 3 months. Once OIRA has reviewed, it is sent out for public comment. The public has 60 days to comment. The DoD will have to respond following public comment, unless the rule is issued with Interim Status.
- Given that it is March and the DoD has not sent the rules to OIRA, we expect the best case scenario to be June 2023 for public comments to start.
- It is likely that the phased requirement will start mid-Q4 at best unless the rule is designated with Interim Status.
- Interim status means that the cybersecurity standards will be implemented temporarily until a final rule is complete, allowing the DoD to enforce the standards while also allowing for public input and refinement before the final rule is implemented. The current minority consensus is that the rules will be published and granted interim status.
What does Interim Status mean?
If the CMMC rule making process is given interim status when it is complete, it means that the CMMC requirements and guidelines will be implemented on a temporary basis until a final rule is developed and put in place.
- Interim status is typically granted when there is an urgent need to implement new regulations or guidelines, but the rule-making process is not yet complete. In the case of CMMC, interim status would allow the Department of Defense (DoD) to require contractors to demonstrate compliance with the CMMC cybersecurity standards while the final rule making process is being completed.
- Interim status may include a period of public comment and feedback, which can be used to refine and improve the final version of the rule. The DoD would then use the feedback to develop a final rule that would replace the interim status requirements.
- Granting interim status for CMMC rule-making means that the cybersecurity standards will be implemented temporarily until a final rule is developed, allowing the DoD to enforce the standards while also allowing for public input and refinement before the final rule is implemented.
The above information can be overwhelming when attempting to determine next steps with CMMC. Tego’s Advisory Services team can address your questions and concerns about CMMC. Contact us today to begin your CMMC journey and to learn more about what the process means for your organization.