Blog

6 Months Until CMMC In Contracts: Fail to Prepare, Prepare to Fail!
Chris Riani | CISSP | CASP
The proposed 32 CFR and 48 CFR CMMC rules have been submitted to the Office of Information and Regulatory Affairs (OIRA) with the expectation that they will be published between the end of 2024 and the first half of 2025, and will mandate specific CMMC levels (1, 2, or 3) in defense contracts. The publication of the upcoming 32 CFR and 48 CFR final rules will profoundly impact defense contractors, and as your trusted CMMC partner, we have developed a comprehensive overview of these critical updates to help ensure you’re able to fulfill your existing DFARS 7012 contractual obligations today and are positioned for a favorable CMMC certification outcome in 2025.
What You Need to Know Today
In short, once the 32 CFR and 48 CFR final rules are published, the CMMC requirements will begin integrating directly into defense contracts through specific contract clauses. For organizations that have postponed the implementation of their CMMC strategies, they will have approximately six to eight months to address these gaps, so to help clarify how these changes may soon impact your organization, here is a list of key considerations to keep in mind as you progress toward achieving compliance:
- Contractual Obligations: The final rules will revise existing contract clauses (specifically the DFARS 7012 Clause that is included in nearly all federal defense contracts) to include CMMC requirements. This means your defense contracts will specify the required CMMC level that must be met.
- Mandatory Compliance: You will be required to achieve the specified CMMC level to be eligible for contract awards. Compliance will not be optional but a mandatory part of contract terms.
- Supply Chain Requirements: The Primes will flow-down the CMMC requirements on their supply chains, meaning all subcontractors will also need to achieve the required CMMC levels.
- SEC Cybersecurity Rule: Though seemingly out of place, these rules place increased pressure on prime contractors – many of which are publicly traded companies-to ensure their supply chains are fulfilling their DFARS 7012 contractual obligations. Because many large primes are publicly traded, they now have a legal obligation to report cyber incidents, and if an investigation reveals that a prime’s supply chain was involved in an incident, the government may intervene. Since contractors and subcontractors are already required to adhere to NIST 800-171, non-compliance could lead to legal ramifications including prosecution under the False Claims Act.
Additionally, due to the upcoming election season, there is a high likelihood that the publication of the final CMMC rules will be expedited, which means that the timeframe for achieving compliance has been significantly shortened. Addressing your contractual obligations now is critical to ensure that you are not only prepared but also remain competitive and eligible for future defense contract opportunities. Acting now will safeguard your position in the defense industry and ensure that you can continue to secure future government contracts.
The Urgency to Act Now: Implementation Timelines, SPRS Scores & DFARS 7024
Achieving CMMC compliance is a comprehensive process that takes approximately 6-18 months to implement, involving significant investments in time, financial resources, and considerable effort. Considering the fast-approaching finalization of the CMMC rule-making process and the increased pressure from primes to ensure that their subcontractors adhere to these regulatory requirements, it’s of the utmost importance to verify that you’re on track to achieve compliance to avoid lost contract opportunities and the increased pressure from primes to rush implementing these measures.
In addition to the timeline concerns, it’s also important to keep in mind the DFARS 7024 clause provides contract agencies (e.g., DoD, US Navy, USAF, etc.) visibility into your SPRS score to determine if your organization has the adequate cybersecurity safeguards in place to protect CUI. The DFARS 7024 clause also emphasizes the importance of demonstrating the improvement of SPRS scores, which according to the feedback we’ve received from a number of primes and have learned through industry thought leaders, a minimum score of 70 will likely be the baseline requirement to meet compliance standards and to remain competitive. However, it’s critically important to keep in mind that although this may be the unofficial baseline standard today, the moment that the final rules are published, a score of 110 will be required in order to comply to NIST 800-171 and achieve CMMC.
At TSI, we’ve conducted numerous CMMC readiness assessments and often see SPRS scores of -100, most often due to the misinterpretation of control requirements and lack of documentation – notably the system security plan (SSP) Therefore, it’s essential to have a CMMC RPO like TSI accurately assess your compliance posture to identify any gaps which could, in some cases, lead to loss of future contracts – and in worst case scenarios- prosecution under the False Claims Act (FCA). With the 32 CFR and 48 CFR proposed CMMC rules expected to be published late 2024 and early 2025 respectively, the window for preparation is quickly narrowing. Once the rules are finalized, CMMC requirements will become a critical component of defense contracts, making compliance an urgent priority.
TSI Can Help Your Organization: We Practice What We Preach!
At TSI, we specialize in helping defense contractors navigate the complexities of cybersecurity and compliance by tailoring our services to achieve your specific objectives, ensuring a seamless path toward complying with NIST 800-171 and achieving CMMC. As a
CMMC Registered Provider Organization (RPO) assessed by an authorized CMMC-AB Certified Third-Party Assessor Organization (C3PAO), not only do we have a thorough understanding of what a CMMC assessment entails from an IT, cybersecurity and documentation standpoint, we currently adhere to the same compliance standards ourselves, enabling us to provide the Managed Service Provider (MSP) and Managed Security Service Provider (MSSP) services they need for CMMC that include but are not limited to:
- Expert Guidance: Our team of cybersecurity experts stays updated with the latest regulatory updates, providing informed and strategic advice.
- Comprehensive Services: From initial assessments to full-scale implementation and ongoing support, we offer end-to-end solutions.
- Proven Track Record: As an established CMMC RPO, MSP, and MSSP, TSI has a 7-year proven history of helping clients successfully address their DFARS 7012 obligations and prepare them for CMMC compliance.
- IT and Cybersecurity Expertise: TSI simplifies the process of identifying the IT and cybersecurity solutions required for CMMC compliance, helping clients address their contractual obligations effectively (e.g., GCC High, PreVeil, Azure GovCloud, FedRAMP).
With the finalization of the CMMC rule-making process fast approaching and considering the industry average of 12-18 months to be CMMC ready, we strongly recommend starting today by reaching out to TSI to schedule a consultation to ensure your organization is prepared for these critical changes. To learn more about TSI can help your organization – including our suite of NIST 800-171 and CMMC 2.0 solutions – please visit the pages below:
NIST SP 800-171 Services & Solutions
Addressing compliance obligations is a significant challenge for many organizations, but it doesn’t have to be. Our team has decades of experience navigating the pitfalls of compliance and we would appreciate the opportunity to help you on your journey. Contact us today.
About Technical Support International
TSI is 35-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.
Categories
- Backup & Disaster Recovery
- Business Operations
- Case Studies
- Cloud Services
- Cyber Security
- Employee Spotlight
- Finance & Budgeting
- Glossary Term
- Governance & IT Compliance
- Managed Services
- Mobile Device Management
- Network Infrastructure
- NIST 800-171 & CMMC 2.0
- PCI
- Podcast
- Project Management
- TSI
- Uncategorized
- vCIO
Cyber Security Policy Starter Kit:
10 Critical Policies That Every Company Should Have in Place
