April 8, 2022

Last Updated on March 16, 2023

The clock is ticking for orgs in the US defense industrial base (DIB) that have been “checking the boxes” on NIST 800-171 compliance.

As reported on a recent episode of The Virtual CISO Podcast by guests Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, there have lately been several changes and clarifications of note.

If you haven’t yet heard the new news, buckle up and read on!

Everybody gets an audit

Beginning in February 2022, the US Department of Defense (DoD) began communicating to DIB stakeholders that the concept of “self-attested compliance with senior officer signoff” (the so-called “bifurcation” idea) has bitten the dust. Once the rulemaking is finalized, all firms seeking CMMC Level 2 certification will need a third-party audit.

You don’t want to be last in line

How many companies are likely to be competing for a finite number of auditors? The DoD is estimating 80,000. There won’t be enough C3PAOs or assessors to make that happen overnight… or even by 2024.

“I think they alluded that they’re going to do a phased approach,” says Kyle. “But exactly what that means, we don’t know for sure yet. Most likely not all 80,000 companies will have to get CMMC Level 2 certification all at once because it’s probably not possible.”

In the run-up to CMMC 1.x, the DoD made reference to 300,000 to 350,000 companies in the defense supply chain. Of those, it was estimated that 50,000 to 70,000 would seek a CMMC Level 3 (now CMMC 2.0 Level 2) certification.

So, where does that number 80,000 come from?

According to Kyle, the DoD CIO Office estimates that 80,000 out of 220,000 DIB companies overall will need audits. But with the myriad subcontractors needing to comply with flow-down requirements, Kyle feels that number could be low.

Obviously, with so many businesses in competition for scarce consulting and auditing resources, waiting to get moving on CMMC 2.0 Level 2 certification could be cause for regret.

What’s next?

To hear this valuable guidance on CMMC 2.0 straight from John, Caleb and Kyle, Click here.
Concerned about CMMC 2.0 compliance deadlines? Here’s one more reason to get your program in gear now: CMMC 2.0 and NIST 800-171—Pressure from Primes Could Accelerate Compliance Timeframes

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.