February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

Updated Timeline for DoD’s Cybersecurity Certification Program

The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published). 

DoD plans to roll out the CMMC requirements in solicitations under a “phased approach.” During phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment and provide a positive affirmation of compliance. This stands in contrast to having a third-party certification, which will eventually be required for some contractors under CMMC. In phase two, solicitations will require either self-assessments or third-party certifications. Which approach is required depends on the type of information involved, and the required certification level. The timing of phase two is still to be determined.

DoD also has confirmed that the third-party CMMC certification will be good for three years once the certification is issued (while not required until phase 2, contractors may choose to secure certification early), but contractors will be required to provide an annual affirmation confirming compliance. The third-party certification is for those associated with critical programs and contracts involving information critical to national security. Self-assessments required for contractors not handling information critical to national security will need to be performed on an annual basis. The assessment will need to be accompanied by an associated affirmation by a senior company official.

Putting it Into Practice: It seems the time finally has come for DoD contractors and suppliers to prepare their information systems for a CMMC assessment, if they have not already. Now is time for DoD contractors to consider (1) comprehensive self-assessments, (2) appropriate remediation, and (3) updating any reported cybersecurity scores to ensure they reflect the current posture of the system.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 174

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Nikole Snyder Associate DC Government Contracts, Investigations and International Trade

Nikole Snyder is an associate in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Nikole represents government contractors in various government contracts litigation and counseling matters, including in the following areas:

  • Civil False Claims Act litigation defense;

  • Cybersecurity counseling;

  • Internal investigations;

  • Small business issues under the Small Business Administration regulations, including...