Month: September 2023

CMMC 2.0 Submission in OIRA is Moving Forward

CMMC 2.0 Submission to OIRA is Moving Forward

By Heather Bennett

September 23, 2023

The CMMC 2.0 submission to OIRA is moving forward, according to the OMB website. The site lists three meetings taking place on September 6^th, September 8^th, and September 13^th. These meetings are labeled as the “Proposed Rule Stage”. This is creating a stir among the CMMC evangelicals. This is the first major step after the official submission.

On July 24, 2023, the DoD officially submitted CMMC 2.0 to the Office of Information and Regulatory Affairs (OIRA) for review. This is a major step that many in the cybersecurity sphere have been waiting for. Why is it such a big deal? What does this mean?

What is Everyone Talking about?

Let’s start with the significance of this news. CMMC has been a buzzword in the DIB and cybersecurity community for over three years at the time of writing. Three years of debate, revision, speculation, and preparation are one step closer to reality. “Under EO 12866, OIRA has up to 90 days (which can be extended) to review a rule. This review helps to promote adequate interagency review of draft proposed and final regulatory actions so that such actions are coordinated with other agencies to avoid inconsistent, incompatible, or duplicative policies.” (https://obamawhitehouse.archives.gov/omb/oira/) After 90 days, if there are no revisions, the next step is publishing the proposed rule in the Federal Register. Once the rule is registered, there will be a 60-day comment period. This puts us into 2024 before the rule goes into effect. This means that CMMC requirements could appear in contracts by early 2025.

The Importance of OMB Submission in CMMC Compliance

So, why is the submission of CMMC requirements to OMB so critical? Here are several key reasons:

Alignment with Government Policies: OMB review ensures that CMMC requirements align with government policies and standards, ensuring a unified approach to cybersecurity across government contracts.

Legitimacy and Standardization: OMB approval adds legitimacy and standardization to the CMMC framework. It signifies that the cybersecurity practices mandated by CMMC are recognized and endorsed at the highest levels of government.

Contract Eligibility: Without OMB approval, organizations may not be eligible to bid for or engage in DoD contracts. Compliance with CMMC, including the OMB submission, is often a prerequisite for participation.

National Security: Given the sensitive nature of information involved in defense contracts, OMB ensures that the cybersecurity measures mandated by CMMC are robust, protecting national security interests.

Consistency and Accountability: OMB oversight ensures that CMMC compliance remains consistent and that organizations are held accountable for adhering to cybersecurity best practices.

Waiting in CMMC the Wings

What does this mean for DIB contractors and C3PAOs that have been preparing for the official rule? It’s game time. There is no denying that this requirement is going to go into effect. Any DIB contractor that has been dragging their feet regarding compliance will have to step up their game. Many CMMC evangelists have been warning the community for the past three years that it’s time to get ready or get left behind.

PGS has spent the last three years learning, securing its certification, and preparing clients for the inevitable. We have developed strong CMMC service offerings, from CMMC workshops to full certification assessments. To learn more about how you can be ready for CMMC, we invite you to attend a webinar we will host on October 17, 2023. This interactive session will focus on document preparation specific to CMMC. This webinar is free and open to anyone interested in preparing for CMMC. You can sign up below.

Register for this Webinar Below

Don't miss this opportunity to master CMMC documentation and bolster your organization's cybersecurity efforts. Register now to secure your spot!

Click Register

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

Discover the Top 10 CMMC FAQs

Top 10 CMMC FAQs

By Heather Bennett

September 18, 2023

Top 10 FAQs for CMMC (Cybersecurity Maturity Model Certification)

The Cybersecurity Maturity Model Certification (CMMC) continues to be a hot topic in the world of cybersecurity compliance. As organizations strive to meet the requirements set by the Department of Defense (DoD) and protect sensitive information, it’s no wonder that CMMC generates numerous questions. In this blog post, we’ve compiled the top 10 frequently asked questions (FAQs) about CMMC to provide clarity and insight into this vital certification process.

1. What Is CMMC, and Why Is It Necessary?

CMMC, or Cybersecurity Maturity Model Certification, is a framework developed by the U.S. Department of Defense (DoD) to ensure that organizations in the defense supply chain maintain robust cybersecurity practices. It’s necessary to protect sensitive DoD information and enhance national security.

2. Who Must Comply with CMMC?

CMMC compliance is mandatory for any organization or contractor that handles controlled unclassified information (CUI) or wishes to engage in contracts with the DoD. This includes both prime contractors and subcontractors at various tiers.

3. How Many CMMC Levels Are There, and What Are They?

CMMC consists of three levels, each representing a different tier of cybersecurity maturity. These levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert), with each level building upon the requirements of the previous one.

4. How Can My Organization Get CMMC Certified?

To achieve CMMC certification, organizations must undergo assessments conducted by accredited third-party assessment organizations (C3PAOs). These assessments evaluate your organization’s adherence to the CMMC framework’s requirements, and successful completion results in certification at the appropriate level. See our blog on C3PAO Red flags (https://provincia.io/5-c3pao-red-flags/)

5. What Types of Documentation Are Required for CMMC Compliance?

CMMC compliance requires thorough documentation. Key documents include the System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies and procedures, incident response plans, and security assessment reports. The specific documentation you need depends on your CMMC level.

CMMC Webinar

6. Can I use Existing Cybersecurity Frameworks for CMMC Compliance?

Yes, you can leverage existing cybersecurity frameworks like NIST SP 800-171 or ISO 27001 to help meet CMMC requirements. However, you’ll need to ensure that your practices align with the specific controls outlined in the CMMC framework.

7. What Are the Penalties for Non-Compliance with CMMC?

Non-compliance with CMMC can lead to consequences such as the loss of DoD contracts, reputational damage, and potential legal actions. It’s crucial to take compliance seriously to protect your organization.

8. Is CMMC Compliance a One-Time Effort?

No, CMMC compliance is an ongoing process. Regular assessments and updates are necessary to maintain compliance as threats evolve and your organization’s cybersecurity practices adapt.

9. How Long Does It Typically Take to Achieve CMMC Certification?

The timeline for CMMC certification varies depending on your organization’s current cybersecurity posture and the level you aim to achieve. It’s essential to allocate sufficient time for preparation and assessment.

10. Where Can I Find More Resources and Guidance on CMMC?

To access official CMMC resources, guidance, and updates, visit the official CMMC website. Additionally, consider consulting with CMMC experts and certified assessors to navigate the certification process effectively. (https://dodcio.defense.gov/CMMC/ https://cyberab.org)

In conclusion, CMMC is a pivotal certification for organizations in the defense supply chain. These FAQs provide valuable insights into its purpose, requirements, and implications. As CMMC evolves, staying informed and seeking expert guidance will be crucial for achieving and maintaining compliance.