July 9, 2020

Last Updated on January 16, 2024

The US Department of Defense (DoD) continues to move its new Cybersecurity Maturity Model Certification (CMMC) program steadily forward. Suppliers at all levels within the Defense Industrial Base (DIB) need to get ready for this new certification program, which will replace the current NIST 800-171 self-attestation scenario at an accelerating rate between now and 2026. 
How fast will this transition happen? What contractors will it impact first? When does my organization need to be ready? 
To give DoD suppliers the up-to-the-minute timetable, roadmap and FAQ for CMMC compliance, a recent episode of The Virtual CISO Podcast features Stuart Itkin, VP of Products and Marketing for Exostar, a secure collaboration and supply chain management service provider that has unique and significant role across virtually the entire DIB. 
Hosting the podcast is Pivot Point Security’s CISO and Managing Partner, John Verry, who brings longstanding experience helping businesses that serve government agencies comply with regulations like NIST 800-171, CMMC and FedRAMP.
Stuart clarifies the preliminary timetable that Katie Arringtonthe DoD’s point person for the CMMC rollout, shared in the first episode of The Virtual CISO Podcast: “It [the CMMC] gradually affects… about 1,500 organizations in 2021, about 7,500 in 2022, ramping up to about 50,000 in 2025.”
Meanwhile, the need for DoD prime contractors and other subcontractors to continue to comply with current Defense Federal Acquisition Regulation Supplement (DFARs) cybersecurity regulations—including the requirement to verify that their suppliers are also in compliance—remains in effect. At the same time, organizations that are angling for a competitive edge, or that want to be ready to win some of the first contracts or projects that requires CMMC certification, will be motivated to achieve the appropriate certification level as soon as possible.

Stuart further notes: “These two sets of requirements [NIST 800-171 and CMMC] are going to coexist for a period of time. And the number of contracts, and hence the number of contractors and subcontractors subject to CMMC, is going to grow over time starting in 2021. In 2026, our understanding is that all RFIs and RFPs will have CMMC requirements as part of those.” 


Stuart then makes this vital point: “… a given supplier may have to comply with CMMC for one contract and still report with respect to 800-171 for another contract. Primes at the same time are likely going to have contracts with CMMC requirements and others that haven’t yet been subject to CMMC, for which they’re going to need to verify that suppliers under those contracts have submitted a self-attestation to NIST 800-171.
To sum up, some organizations will need to be certified in 2021 against the CMMC requirements already announced in 2020. The number of organizations that must achieve CMMC certification will grow exponentially until every participant in every RFI and RFP must be CMMC certified by 2026.  
How high of a hurdle is CMMC certification for your organization? Is it true that the DoD is also ramping up enforcement of NIST 800-171 compliance? What does it mean to be “audit ready” for the CMMC? Stay tuned for posts on these topics.   
Or, tlisten to the complete episode with Stuart Itkin and many more like it, you can subscribe to The Virtual CISO Podcast here. 
If you don’t use Apple Podcasts, you can find all our episodes here.