After a lengthy internal review process, the Department of Defense (DoD) released its Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements in November and is now in the early stages of a rulemaking process to implement the revised program.
However, what that timeline looks like has been unclear for companies who make up the Defense Industrial Base (DIB).
DoD Deputy Chief Information Officer David McKeown previously said the rulemaking process could take up to two years, but a representative of the government technology and services industry told the Senate Armed Services Committee today that DIB companies are being told the process could be completed anywhere from later this spring, to a year from now.
“We’ve heard various estimates that it could be as early as late this spring or as late as a year from now,” David Berteau, president and CEO of the Professional Services Council (PSC) told the committee. “One of the problems or concerns that we’ve raised from the beginning is [that] a threat is not waiting for this implementation, and every day that threat grows.”
Berteau and the PSC represent more than 400 member companies that serve the Federal government, He told the committee that every DIB prime contractor he represents has a plan for them and their clients to meet the existing CMMC standards, but questioned whether the standards set forth by DoD go far enough.
The CMMC 2.0 program simplified some of the requirements for contractors, collapsing the five levels of maturity from the CMMC 1.0 program to just three levels in CMMC 2.0.
“The real question is do those standards go far enough in order to protect us against the evolving threat? And nobody really knows the answer to that,” Berteau said.
The CMMC 1.0 program had previously gone through the rulemaking process, and the requirements had begun being rolled out in pathfinder and pilot contracts, with a goal of being incorporated into every DoD contract by fiscal year 2026. The review and subsequent program revision have scuttled those plans, with no clear new timeline in place.
“In the meantime, of course, there is an existing regulation but its use has been suspended,” he said, referring to the Defense Federal Acquisition Regulation Supplement (DFARS) for CMMC 1.0. “It’s not being incorporated in contracts, with many companies already complying with that.”
Additionally, McKeown had previously said that DoD expects more DIB companies to need a CMMC 2.0 Level Two certification than previously estimated, further throwing the community into uncertainty.
“What we don’t know is what’s the next standard we’re going to have to comply with? What’s the timeline in which the flag will go down, and you’ve got to be in compliance? And what can you do now to be ready for that when you don’t know what it is you can have to be what standard?” Berteau said. “So there’s still a lot of ambiguity there, but a lot of people are moving forward and working on it.”