Last week, the CMMC Final Rule (known as CFR 32) was released from OIRA, meaning no more changes can be made. 

Since CFR 32 is considered a Major Rule, it will next undergo a Congressional review of up to 60 days, after which it becomes law. Any inaction by Congress results in it becoming law. The only way for changes to be made is for both houses of Congress & the President to overturn the Rule. 

For defense contractors handling CUI, know that CMMC is here. If you have been waiting, this is your confirmation to get started. Here’s what Matt Travis (CEO of Cyber-AB) warned at PreVeil’s Virtual CMMC Summit:

And if you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time earlier this year, but now the light is flashing red.

The CMMC rule is on target to become law in Q4 and enter into contracts in early 2025. It requires contractors to prove CMMC compliance as of the time of award

It also requires contracting officers to verify that the results of CMMC compliance are posted in the Supplier Performance Risk System (SPRS).

Note that DFARS 7012/ DFARS 7020 mandates that defense contractors pass CMMC requirements onto their subcontractors. This means even subcontractors must be CMMC compliant to be part of defense contracts.

CMMC will be phased in over 3 years, but it’s impossible to know which contracts will be subject to the requirements until they’re released, at which point it’ll be too late to become compliant. If you’re a defense contractor, the only way to ensure you can maintain your current contracts & win new ones is by completing a CMMC assessment.

The problem for most contractors is that you won’t know in advance when the compliance requirement will come to you or when your Prime will ask you to show you are ready for a certification assessment. Most organizations find that it takes 6-18 months to know that you are ready to pass an assessment. So you need to get started now.Robert Metzger, leading cyber attorney @RJO

CFR 32 is the rule that defines the CMMC program and enables CMMC assessments to begin. Until now, assessments have been conducted jointly by CMMC 3rd Party Assessor Organizations (C3PAOs) and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the JSVA (Joint Surveillance Voluntary Assessment) program. Once CFR 32 passes Congress, JSVAs will end and C3PAO assessments will begin. DIBCAC will continue to conduct C3PAO, CMMC Level 3, and DIBCAC High Assessments.

While the Cyber-AB still needs to release the CMMC Assessment Process (CAP) before assessments can begin, industry experts believe we should expect C3PAO assessments by mid-November. Many defense contractors have already lined up these C3PAO assessments and those who have not should do so soon because the C3PAO pool is limited and waiting lists are growing.

If you’re a defense contractor, you need to decide if you wish to be part of the Defense Industrial Base ecosystem. If you choose to “wait it out” and see what happens with CMMC, you are effectively canceling the possibility of winning any contracts with the CMMC clause for at least 12 months – that’s how long it takes for a typical DIB company to prepare for and complete a CMMC certification. Note that this includes contracts on which you’re a subcontractor, since Primes are required to flowdown these CMMC requirements.

Waiting will only cost you time, money, and lost revenue. Some C3PAOs already have multi-year waiting lists.

Alternatively, getting CMMC compliant now will grant you a competitive advantage when bidding on DoD and Prime contracts.

Fundamentally, we are at what Intel founder Andy Grove called a “strategic inflection point” in CMMC. If you wish to win DoD work, then you need to get CMMC compliant. Failure to achieve compliance means choosing to be a spectator to the industry’s growth. 

If your organization wishes to stay in the Defense Industrial Base, then you will need to become CMMC compliant. PreVeil can help.

PreVeil is used by over 1,200 defense contractors and provides a comprehensive solution to expedite CMMC compliance. It includes:

  1. Technology Platform: Our Email and Drive platform protects CUI with end-to-end encryption. Meets FedRAMP Moderate Equivalent, FIPS 140-2 and DFARS 7012 c-g
  2. Compliance Accelerator: We provide you with pre-filled CMMC documentation, assessor-validated videos and 1×1 support from our compliance experts.
  3. Partner Network: We support your organization through the entire compliance journey -from prep to assessment – with our network of CMMC consultants and auditors.

PreVeil supports 102/ 110 NIST 800-171 controls and has videos, documentation, and advice to help walk you through how to meet the remaining controls. Our proven solution has been used by over 10 defense contractors and C3PAOs to achieve perfect 110 scores in tough DoD assessments.

To get the latest CMMC updates & learn how PreVeil can help, simply reach out to our team.

…. or schedule a free 15 minute compliance consult with our team.