The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is rapidly moving forward, signaling significant changes for defense contractors. Two critical rules—one for the general CMMC framework and another for its inclusion in government contracts—are in the final stages of review. However, as businesses rush to meet compliance, there is an increasing risk of falling prey to inexperienced consultants who promise much but deliver little. Beware of the “snake oil salesmen” in the cybersecurity industry, especially when it comes to NIST 800-171 controls, Controlled Unclassified Information (CUI), and overall information assurance. Here’s what you need to know about the current state of CMMC and how to ensure you’re getting expert guidance.
CMMC Programmatic Rule (Title 32) Nears Finalization
The first significant update comes from the completion of the Office of Management and Budget (OMB) review for the CMMC programmatic rule (Title 32). This rule establishes the core framework for how CMMC will be implemented across the defense industrial base (DIB). Following the OMB review, the next step is for the rule to be published in the Federal Register—a key milestone that will make the rule publicly available and legally binding.
Once published, contractors and subcontractors working with the DoD will need to ensure they meet the specified CMMC requirements based on the level of cybersecurity maturity required for their contracts. The CMMC program is designed to protect sensitive federal information, including CUI, which has become a high-value target for adversaries. Non-compliance could mean loss of contracts and significant reputational damage.
Title 48 CMMC Contracting Rule: Public Comments Ending Soon
While the Title 32 rule nears publication, the Title 48 CMMC contracting rule is still in its final review stages, also known as the “chop chain.” This rule integrates CMMC requirements directly into the contracting process, meaning that companies bidding on federal contracts will need to demonstrate their CMMC compliance.
The public comment period for Title 48 will remain open until October 15, providing businesses and stakeholders an opportunity to give feedback on how the rule should be implemented. After this period, the DoD will review the comments and make any necessary revisions before finalizing the rule. This contracting rule is expected to have far-reaching implications for anyone involved in government contracts, whether you’re a prime contractor or a subcontractor in the supply chain.
Beware of Snake Oil Salesmen: The Risk of Inexperienced CMMC Consultants
As CMMC approaches full implementation, many companies are rushing to achieve compliance. Unfortunately, this urgency has sparked an influx of inexperienced or unqualified consultants. These so-called “snake oil salesmen” often lack expertise in critical areas such as NIST 800-171 controls, CUI handling, and information assurance. Since November 2023, we’ve received feedback from customers who initially worked with “CMMC consultants,” only to discover they had no real experience in information assurance for commercial federal and DoD environments—resulting in wasted time and thousands of dollars.
CMMC is not just about checking boxes and paying fees; it requires a deep understanding of cybersecurity frameworks like NIST 800-171, which outlines the necessary controls to protect CUI. Many of these fly-by-night consultants lack the expertise to properly guide companies through the complex process of implementing these controls, often resulting in half-baked solutions that fail to meet federal standards. This can leave companies vulnerable to cybersecurity threats, audits, and, ultimately, non-compliance penalties.
It’s crucial to work with a team that has a proven track record in information assurance, cybersecurity, and compliance. Look for consultants with real-world experience, not just flashy marketing claims. This will ensure that your company is prepared for the rigorous requirements of CMMC and that you can protect sensitive information effectively.
Cleared Systems: A Trusted Partner with Over 100 Years of Combined Experience
At Cleared Systems, we understand the challenges companies face when navigating the complex world of CMMC and federal compliance. Our team brings over 100 years of combined experience working with federal agencies. We have served as NIST Risk Management Framework (RMF) assessors, conducted full Authority to Operate (ATO) audits, and have deep expertise in NIST 800-171 controls, CUI, and cybersecurity best practices.
Unlike inexperienced consultants, we have worked on the front lines of federal cybersecurity and compliance, helping companies of all sizes secure their systems, protect sensitive information, and meet stringent federal requirements. Whether you’re just starting your CMMC journey or need help fine-tuning your compliance strategy, our experts can guide you every step of the way.
Conclusion
With the CMMC programmatic rule (Title 32) nearing final publication and the Title 48 contracting rule still under review, defense contractors must prepare to meet these new requirements. However, in the rush to become compliant, beware of unqualified consultants who promise easy solutions. Navigating the complexities of CMMC, NIST 800-171, and CUI requires expert guidance, and that’s where Cleared Systems can help. With our team’s extensive experience in federal compliance, we can ensure you’re fully prepared for the road ahead—without falling victim to “snake oil salesmen.”
Make sure you’re working with experts who understand the intricacies of federal cybersecurity requirements. Reach out to Cleared Systems today to learn how we can help your business achieve full CMMC compliance.