It could be in 2024 or early 2025 when the Department of Defense finally requires contractors to obtain third-party approval of their cybersecurity settings. But there’s no time to relax, says one expert.
“If you look at the internal Pentagon documents, everything is going well and everything is on a 12-month schedule, if not too complicated. Hmm, this is complicated. , it could be 15 months, it could be 18 months, said Robert Metzger, government contract attorney for Rogers, Joseph and O’Donnell.
At a virtual town hall on January 31, Metzger spoke with CyberAB, the certification body that oversees the Department of Defense’s Cybersecurity Maturity Model certification program.
The CMMC program, which aims to force contractors to implement a minimum level of cybersecurity, published an interim rule in 2020. After an internal review, the Pentagon has revamped his efforts for 2021. The agency now has a new version of federal regulations (including CFR 32 and CFR 48) governing defense contracts called CMMC 2.0.
Full implementation of the program is expected by fiscal year 2025, as the rulemaking process can take up to 24 months, Navy commanders said. Pentagon spokesperson Jessica McNulty.
Metzger said he expects the final CMMC rule to maintain or enhance current requirements for compliance with cybersecurity guidance for controlled unclassified information. The upcoming changes “essentially add a rating mechanism” for third parties, he said.
Defense procurement regulations now allow contractors to assess their own efforts to comply with federal cybersecurity standards. Not all do.
Metzer said companies have to adapt to the idea of submitting for third-party evaluation.
“Despite everything that may surprise or disappoint us, we all need to remain enthusiastic and committed.
We also need to recognize that the new CMMC rule is just one part of a larger effort to improve cybersecurity, collaboration and incident reporting across the federal government, he added. The White House has taken a leading role in the Cybersecurity Executive Order and the creation of the National Cyber Director.
“What you’re seeing is that people really, really care about incident response,” he said. “I think it’s reasonable, and I think it’s likely … we’re going to see something stronger when it comes to reporting,” he said in future regulations.
Meanwhile, Metzger said businesses need to remain diligent even if the rule change takes longer than expected.
“Even if the actual rollout is very slow, maybe a year later than expected, there is still a huge enterprise market and [comply]who need to comply today and who will need assessment services,” he said.