Many firms are selling CMMC consulting and implementation right now, and even claiming they can ensure “certification.” Here is just one such ad that was found live as of September 26, 2020:
As of right now “CMMC Certification” does not exist, nor is there a clear path forward on what it will look like.
What we currently have is the CMMC Model, which is not finished. In a September 2020 press conference, DoD rep Katie Arrington announced that the model would likely undergo revisions to strip out some 20 requirements that differentiated Maturity Level 3 from NIST 800-171. Whether this will happen is not fully clear, but it means we cannot be sure that the Model itself is “done” and ready for implementation.
On the government contract requirement side, no government contract can mandate CMMC maturity ratings as a condition of bidding until it is codified into an official DFARS rule. That has not happened, and is not likely to happen within 2020. An interim rule may be issued prior to then, but it is will not mandate CMMC certification for bidding purposes.
Next, CMMC certification will never impact on any current DoD contracts. It may be rolled out into future contracts, and even then, these will mostly affect high-level, large DoD contractors, and not other shops in the Defense Industrial Base.
The plan to roll out the CMMC certification to the entire DIB is not expected for five years, and even that timeline is aggressive. For now, DoD is targeting large “pilot” companies to adopt CMMC and undergo audits, but the timeline for that is constantly in flux. No pilot companies have been announced, and this is also not likely to start until deep into 2021.
Next, the CMMC Accreditation Board does not have a formal method for conducting CMMC appraisals yet. Only “provisional auditors” have been trained, and these have been trained using temporary, draft appraisal methods. The formal methods for appraisal have not been completed, nor published, and are under heavy revision. So no one knows what a CMMC appraisal will look like.
Finally, the CMMC scheme may be affected by the US national elections. The current leadership staff of the Office of the Undersecretary for Defense (Acquisitions & Sustainment) — which is overseeing the CMMC program — are all expected to resign and move back to the private sector no matter which candidate wins. This is normal after any election.
The only things companies can do now are: (1) implement NIS 800-171, and (2) track their compliance with the current version of the CMMC Model, understanding it may change.
This page will be updated as more information comes in.
Last update: 26 Sept. 2020