For those that want the key pieces of information of this article up front, here’s the key takeaways:
- Expect an interim rule by March 2023
- Expect CMMC requirements in DoD contracts in May 2023
- All DIB suppliers who handle CUI (both non-prioritized or prioritized) will need to implement NIST 800-171 controls
Keep in mind that the dates above are not official and are only estimates based on the information we’ve been able to gather at the moment. For more context, please keep reading.
Where We’re At Now
CMMC requirements are currently within the federal rulemaking process for the Code of Federal Regulations (CFR) and Defense Federal Acquisition Supplement (DFARS). These two processes are required before CMMC requirements can be implemented.
Where We’re Going
According to a FedScoop article, Stacy Bostjanick, the Pentagon’s director of CMMC policy said, “We’re hoping by March of 2023, they will give us an interim rule. Now that’s not guaranteed. They could come back and say, ‘No, we don’t see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule.’” If an interim rule decision is made, there will be a 60-day public comment period, but the DoD would be able to implement CMMC requirements in contracts by May 2023, Bostjanick said.
Prioritized CUI and Non-Prioritized CUI
Though not explicitly referenced in the official CMMC 2.0 documentation, Bostjanick shared some insights regarding prioritized and non-prioritized controlled unclassified information, or CUI.
“For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 800-171 to handle the non-prioritized CUI. From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with,” she said.
“Since companies don’t ever normally just do one contract with the DOD, they bid on multiple contracts, eventually, anybody who handles CUI and bids on more than one contract will most likely have to have a third-party assessment, because it’s only ever going to take one contract that you bid on that requires that third-party assessment to drive you to that level,” she added.
While definitions are currently being worked on, our understanding is that non-prioritized CUI is information that wouldn’t present much of an issue if it fell into the wrong hands. Prioritized CUI, rather, is sensitive information that if leaked, could present a national security risk or cause a loss of defense capabilities and/or competitive advantage.
Why All DIB Suppliers Need to Make CMMC Preparations Now
If they haven’t already, all businesses that provide products and services to the defense supply chain should not delay any further in their preparation to meet the requirements of CMMC regardless of whether they think they will have prioritized or non-prioritized CUI.
In light of the information that Bostjanick shared, SysArc CEO offers advice for DIB suppliers who are navigating CMMC. “The problem is that no DIB supplier is going to know ahead of time whether the contract they’re bidding on will have prioritized or non-prioritized CUI. Therefore it’s important that every contractor treats all contracts as if they will be dealing with prioritized CUI. Otherwise, they might find themselves potentially less likely to take CMMC preparation seriously and leave them unprepared for a third-party audit,” said Tim Brennan, CEO of SysArc.
“At the end of the day, the concern for businesses shouldn’t be whether they will deal with prioritized and non-prioritized CUI. That’s because all businesses who handle CUI, regardless of prioritized or non-prioritize, are required by law to have NIST 800-171 controls in place. The only question then is whether they will be required to pass a third-party assessment or only need to self-attest compliance. Ultimately it’s up to each company how much risk they want to take on,” he added.
Need Help Preparing for CMMC?
We’ve helped over 1,000 DoD suppliers and their primes navigate the complexities of DFARS, NIST 800-171, and CMMC. If you’re concerned about your company’s ability to prepare, feel free to give us a call or request a consultation. We’re happy to walk you through our process for getting companies like yours CMMC compliant faster and for less cost than other solutions on the market.