Contractors should prepare for independent checks on their data systems, and maybe more reporting requirements as well.
It could be well into 2024 or even early 2025 before the Defense Department finally requires contractors to obtain third-party approval of their cybersecurity setup. But there’s no time to relax, one expert says.
“You look at the DOD internal documents, they all have a 12-month schedule—if everything goes well and it's not that complicated. Well, this is complicated. Things may not go so well. So it could be 15 months, it could be 18 months; they'll want to get it done,” said Robert Metzger, a government contracting attorney with Rogers, Joseph, and O’Donnell.
Metzger spoke at a Jan. 31 virtual town hall with the CyberAB, the accreditation body that oversees the Pentagon’s Cybersecurity Maturity Model Certification program.
The CMMC program, which aims to force contractors to implement a minimum level of cybersecurity, published interim rules in 2020. After an internal review, the Pentagon revamped the effort in 2021. Officials are currently weaving the new version, dubbed CMMC 2.0, into the federal rules—including CFR 32 and CFR 48—that govern defense contracts.
Metzger said he expects the final CMMC rules to keep or strengthen the current requirements to comply with cybersecurity guidance for controlled unclassified information. The coming changes will “essentially add the assessment mechanisms” for third parties, he said.
Metzger said that companies must adjust to the notion of submitting to a third-party assessment.
“Despite all of the things that may surprise or disappoint us, we should all remain enthused and committed,” he said.
And they should recognize that the new CMMC rules are just part of a larger effort to improve cybersecurity, collaboration, and incident reporting across the federal government, he added. The White House is taking a lead role with a cybersecurity executive order and the creation of a national cyber director.
“What you see is that people really, really care about incident response,” he said. “It strikes me as reasonable and likely that…we're going to see some stronger stuff on reporting,” in future regulations.
In the meantime, Metzger said businesses should remain diligent even if the rule changes take longer than expected.
“Even if the actual rollout is so much slower, perhaps even a year later than you might have expected, there is still an enormous market of companies who are going to [comply], who must comply today and who will need assessment services,” he said.