DoD Issues Clarification on CMMC 2.0 Deadline

DoD Issues Clarification on CMMC 2.0 Deadline

What’s New in CMMC | Column 8

“What’s New in CMMC” is a regular column from MxD explaining aspects of the CMMC 2.0 framework.

Manufacturers and suppliers who contract with the U.S. Department of Defense (DoD) may have at least another year or more before they will be required to comply with the first set of rules that make up the Cybersecurity Maturity Model Certification, or CMMC 2.0.

These rules originally were expected to be published this spring. They include the requirements companies should take to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

Most of these steps are possible for companies to implement on their own or with minimal help provided they have the needed IT and Cyber resources to support CMMC compliance. They include multi-factor authorization, limiting network access to authorized users, escorting visitors at all times, and installing system vulnerability patches as soon as they are available. 

Despite the rules delay until potentially 2025, MxD experts say these protections are important to implement now, because manufacturing companies remain the top target for cybercriminals around the world — ahead of both the energy and transportation sectors. 

Geopolitical instability drives some of those nefarious efforts, but not all of it. Hackers and other cybercriminals know that small to medium-size manufacturers often have machinery and systems connected to unprotected networks or the internet but don’t have the know-how to fully protect themselves from attack. A significant number of manufacturers aren’t ready to comply with CMMC 2.0 Level 2 as they may lack basic cybersecurity policies and practices that comprise the requirements set as defined in NIST SP 800-171.  

Previously, CMMC 2.0 was anticipated to receive an “interim final rule” by the DoD in March 2023, published in the federal register. That would give manufacturers that contract with the DoD 60 days to comply with the new cybersecurity rules.

Instead, the requirements for CMMC 2.0 are anticipated to be published as a “proposed rule” which includes a 12-month review and comment period, giving manufacturers at least another year to provide feedback to the DoD and also to put the proposed rules in place for their businesses. The new rule making schedule tentatively shifts full implementation of CMMC to 2025.

Still, MxD experts say the CMMC 2.0 Level 2 requirements aren’t going away. Manufacturers should not use any delayed timeline as an excuse to put off the inevitable

Level 1 is the first of three tiers that make up CMMC 2.0. This base level contains 17 required security practices that, if implemented correctly, should protect contractors from a basic  attempts to hack and infiltrate their systems. Level 1 also requires contractors to conduct a self-assessment each year to ensure these 17 requirements are properly in place and working. 

MxD experts recommend that DoD contractors use this newly granted extra time to put the 17 Level 1 rules in place now, and then perform a self-audit to confirm those efforts are successful.  Upcoming Levels 2 and 3 are expected to require triennial third-party assessments to ensure compliance.

Do you or your company need help understanding CMMC 2.0 Level 1 and what is required of contracting manufacturers and their suppliers? Download MxD’s free Playbook for CMMC 2.0 Level 1 to get going. 

Meanwhile, a lot of uncertainty is swirling right now about when the new CMMC 2.0 rules will finally be required, however resources are available to support manufacturers as they work to put them in place.

MxD’s Cyber Marketplace offers assessments that provide organizations with vetted, market-ready cybersecurity solutions. Visit the marketplace for more information.

What’s New in CMMC Series:

Article #1: CMMC 2.0 Cybersecurity Framework: What to Expect
Article #2: CMMC 2.0: Why Manufacturers Should Get Started Now
Article #3: CMMC 2.0: Start With Scoping
Article #4: CMMC 2.0: The High Cost of Skipping Cyber Certification
Article #5: CMMC 2.0: Questions to Ask When Identifying Assets
Article #6: CMMC 2.0: Shoring up Asset Protection for Manufacturing Cybersecurity
Article #7: CMMC 2.0: How Manufacturers Can Prepare for a Cybersecurity Assessment