ARTICLE
24 June 2022

Updated Timeline For DoD's Cybersecurity Certification Program

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program.
United States Technology
Townsend L. Bourne and Nikole Snyder
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published).

DoD plans to roll out the CMMC requirements in solicitations under a "phased approach." During phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment and provide a positive affirmation of compliance. This stands in contrast to having a third-party certification, which will eventually be required for some contractors under CMMC. In phase two, solicitations will require either self-assessments or third-party certifications. Which approach is required depends on the type of information involved, and the required certification level. The timing of phase two is still to be determined.

DoD also has confirmed that the third-party CMMC certification will be good for three years once the certification is issued (while not required until phase 2, contractors may choose to secure certification early), but contractors will be required to provide an annual affirmation confirming compliance. The third-party certification is for those associated with critical programs and contracts involving information critical to national security. Self-assessments required for contractors not handling information critical to national security will need to be performed on an annual basis. The assessment will need to be accompanied by an associated affirmation by a senior company official.

Putting it Into Practice: It seems the time finally has come for DoD contractors and suppliers to prepare their information systems for a CMMC assessment, if they have not already. Now is time for DoD contractors to consider (1) comprehensive self-assessments, (2) appropriate remediation, and (3) updating any reported cybersecurity scores to ensure they reflect the current posture of the system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Townsend L. Bourne
Townsend L. Bourne
Photo of Nikole Snyder
Nikole Snyder
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More