January 2020 – The United States Department of Defense introduced the initial version of the Cybersecurity Maturity Model Certification (CMMC). The CMMC effort was intended to build upon existing regulation (DFARS 252.204-7012) which requires Department of Defense contractors; subcontractors; suppliers; and vendors to implement security controls to protect controlled unclassified information (CUI) in accordance with NIST 800-171.
September 2020 – The DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
March 2021 – The Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. The Information Technology Acquisition Advisory Council (IT-AAC) was a significant contributor to the various findings and recommendations during the review effort.
November 2021 – The Department announced “CMMC 2.0,” an updated program structure and requirements designed to safeguard sensitive information and protecting the warfighter, dynamically enhance DIB cybersecurity, ensure accountability while minimizing barriers to DoD compliance, contribute towards instilling a collaborative culture of cybersecurity and cyber resilience, and maintain public trust through high professional and ethical standards. CMMC 2.0 reduces the number of classification categories for certification from 5 to 3 and makes other adjustments to the proposed program. The rule making for CMMC 2.0 is estimated to take from 9 – 24 months. While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation. This created a lot of confusion across the DIB community around the implementation requirements, timelines, and questions about the cost, governance, and oversight of the program.
October 2021 – The Department of Justice (“DOJ”) announced a new Civil Cyber-Fraud Initiative to enforce cybersecurity standards and reporting requirements. The Initiative will use DOJ’s civil enforcement mechanisms, namely the False Claims Act, to pursue government contractors and federal grant recipients that “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.” DOJ will not limit enforcement to entities; individuals also can be held accountable for cybersecurity-related fraud.
March 2022 – The Securities and Exchange Commission proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Congress is finally considering the Federal Information Security Modernization Act which has already passed the Senate and is currently under consideration by the House of Representatives.
Join us on Wednesday April 26, 2022; 13:00 – 14:00 EDT. Information Technology Acquisition Advisory Council (IT-AAC) in partnership with Churchill & Harriman is pleased to present a second in series virtual discussion around a deeper dive into the CMMC program, – what it is, who is required to comply, what are the current timelines for compliance, what are the consequences of failing to meet the current timelines, and how to execute due diligence by creating and implementing a plan to meet the CMMC requirements. A significant focus of the discussion will be on the impacts and requirements for small and medium sized business.
Subject matter experts and risk management professionals will discuss the current plans for CMMC, how other legislative and regulatory activities may impact the future of CMMC, and why you should care. Given the current challenges of cybersecurity and the need for each of us to meet our obligations, this webinar discussion will be both substantive and timely.
Hosted by: CMMC Center of Excellence and Churchill & Harriman
Panelists: John Weiler – Chairman, CMMC COE, Exec Director, IT-AAC
Kenneth Peterson – CEO & Founder, Churchill & Harriman
Edward Beesley – Chief Operating Officer, Churchill & Harriman
Moderator: Bob Dix – SVP, Strategy & Public Policy, IT-AAC