The Cybersecurity Maturity Model Certification interim final rule was just released. Eric Crusius, Partner at Holland & Knight, joined “Government Matters” to discuss the new rule and how it will impact contractors.
“Now it is confirmed that there’s going to be a certification required with NIST Special Publication 800-171 and that for most contractors is going to be a self-certification that they have to do every three years if they’re considered low-risk,” Crusius said. Medium-risk and high-risk contractors will need to be certified by a Defense Department entity, he said. Risk level is based on possession of information that will trigger compliance with National Institute of Standards and Technology Special Publication 800-171.
He said these requirements create a dual-track certification program where some contractors will have to be certified by the Department of Defense while others will self-certify.
“If you’re doing a self-certification for compliance with 800-171, you’d better make sure you’re right because sooner or later there’s going to be a CMMC third-party certification,” Crusius said. He mentioned that any discrepancies could be a risk area for companies.
Crusius said that while the dual-track certification program was unexpected, the rule itself was unsurprising. Companies will need certification every three years and upon award, and certifications will need to happen throughout the entire supply chain.
“It’s not entirely clear who’s going to make the rule on what level a subcontractor needs to have,” he said. “The way I initially read the rule is that the prime contractor will make the assessment on what level the subcontractor will have and will have to ensure that the subcontractor has the correct level.”
The interim final rule will be open for public comment but will be put into effect in November. This differs from the process for proposed rules because proposed rules face public comment before they are implemented. Some contractors will need CMMC certification for contracts awarded after the late-November timeframe.
“Whether you’re part of the initial cohort or not, you’re going to have to start paying attention,” Crusius said.