CMMC Update: Compliance Deadline Shifts

The move toward the Cybersecurity Maturity Model Certification continues and Katie Arrington, chief information security officer for the Defense Department’s acquisition policy, offered some tidbits of news during her presentation at the Washington Technology Power Breakfast on Friday.

CMMC is DOD’s initiative to have its contractors audited and certified that meet certain NIST and other security requirements.

Most significant for contractors is that compliance with CMMC will shift to time of award, Arrington said. Previously, the requirement was that contractors had to have their certification in place when they submitted their bids.

The shift to time of award gives contractors a bit more time to go through the audit and certification requirement.

Arrington also encourage industry to attend the public hearing on changes to the Defense Federal Acquisition Regulations, or DFARS, that will help implement CMMC and make it a requirement in contracts.

A public hearing is expected in late April or early May (unknown what the impact of the coronavirus will be) and a final rule will be issued in October. That’s just in time for when the first solicitations will come out requiring CMMC.

One issue that industry hopes will be clarified with the final DFARS rule involves allowable costs and whether contractors will be able to pass along the cost of CMMC as part of their pricing.

While industry is hopeful and will likely get some allowable costs as part of the rule, a complicating factor is that compliance with cyber standards such as NIST SP 800-171 is something companies are currently supposed to be doing. Contractors self-certify to that standard and CMMC is adding a third-party audit component.

But as one source said to me, Can industry expect reimbursement for something they are already doing?

It is sure to be a topic of discussion at the hearing. We’ll keep track and post when it is scheduled.

In another bit of news, that Arrington shared with FCW staff writer Lauren Williams is that the memorandum of understanding between DOD and the CMMC Accreditation Board is closed to be finalized and signed. Days away apparently.

The MOU will set the stage for the accreditation board to be the process for training and approving the third party auditors that need to be in place for contractors to get CMMC certified.

We live streamed the event today, so if you want to watch, click here.