First announced in January 2020 with a prolonged rollout through October 2025, many defense contractors may feel they still have lots of time to comply with the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. Well, that first “M” for Maturity in CMMC exists for a reason. Maturity means you have a security program, you’ve implemented it, you’re using/following it, and it’s working.
Essentially, the requirements must be satisfied, not just addressed, and Plans of Actions and Milestones (POAMs) are no longer accepted. The reasoning for not accepting POAMs is that it doesn’t actually satisfy the control and disadvantages those who are secure. Implementing and maintaining security controls can be time consuming and expensive, but that’s what it takes to be a secure provider with the DoD. So, if you haven’t already completed a Boundary Determination and Gap Analysis to baseline where you are and begun your journey to ensure you’ll be able to attain the required level of compliance, now is the time.
Use the remainder of 2021 to implement your cybersecurity program and build up your maturity level before getting audited. And the clock is ticking, with CMMC audits destined to increase as the DoD rolls out more RFIs and contracts with CMMC requirements. You may even be expected to undergo a CMMC audit and recompete for contract renewals. An added twist is that CMMC is somewhat of a moving target – it will evolve over time with another update expected as soon as this fall.
At Entrust, our core business is cybersecurity and our products provide full or partial coverage of 11 of the 17 CMMC domains. And while we’re not an assessor, we’ve joined forces with leading CMMC Certified 3rd Party Assessor Organization (C3PAO) Coalfire Federal to help you get started on your CMMC journey. On that note, we are pleased to host Stuart Itkin, VP CMMC & FedRamp Assurance at Coalfire Federal, on this upcoming webinar: The time to prepare for CMMC is now.