The Pentagon Updates CMMC Timeline

When CMMC 2.0 was announced in 2021, the original timeline included a 9-24 month implementation process. Since then, we have all been anxiously awaiting to hear if this was on track.

In an event hosted by NDIA New England, Stacy Bostjanick, the CMMC director announced the Pentagon is on schedule to release two “Interim Final Rules” which means CMMC is less than a year away from going into effect.

What Does This Mean for Your Government Contracts?

This update gives companies currently seeking CMMC certification a deadline. But for companies who have yet to begin their CMMC compliance certification, time is quickly running out and now is when you should get started!

Below we will outline a brief overview of the expected time to comply, as well as the specific risks of failure to comply for your company and existing government contracts.

How Long Does CMMC Certification Take?

Several steps are required to obtain CMMC certification, many of which take several weeks to complete. While third-party audits may not start just yet, Bostjanick stated that on “day one, everyone will be required to do the self-assessment, the positive affirmation.”

It’s important to get started as soon as possible if your company currently has or is expecting to obtain a DoD government contract.

A typical timeline for completing CMMC certification can look like this:

Potential Compliance Timeline:

• Gap Assessment
  • 4 weeks
• Remediation Project
  • 2-3 months from Gap Assessment (will vary by specific needs/situation and includes policy documentation)
• Ongoing Support and Continuous Monitoring
  • 1-2 months from Gap Assessment (can usually be done concurrently with Remediation)

Total time from start to compliance?

Companies with mature IT environments should plan for 3-6 months, whereas companies needing a little more help could be looking at 6-9 months to reach an audit-ready state.

Risks of Non-Compliance

Failing to complete the certification process can result in termination of your current contract and/or hefty fines for non-compliance and damages. It can also prevent your company from securing additional government contracts.

Under the False Claims Act, companies can risk liability by knowingly or recklessly misstating compliance. We anticipate that courts will continue to find civil False Claims Act violations for companies that are not complying or misrepresenting their compliance with cybersecurity requirements.

Recent Government Actions

On October 6, 2021, the Department of Justice announced a new cyber-fraud initiative that would hold contractors accountable for their commitments to protect information.

This initiative would utilize the False Claims Act to pursue cybersecurity-related fraud. This would include:

• Misrepresenting cybersecurity practices of their organization
• Failing to follow required cybersecurity standards
• Failing to report cybersecurity incidents

Bottom line, abide by contractual standards or face significant penalties!

Medical services contractor settles False Claims Act Allegations – March 2022

Comprehensive Health Services LLC agreed to pay $930K to settle violations related to falsely representing compliance with contract requirements flagged by whistle blowers.

“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards.”

- Brian Boynton, Principal Deputy Assistant Attorney General

SSE Can Help You Mitigate Your Risk and Achieve CMMC Certification

SSE is here to keep you informed and get your organization compliant. As the implementation of CMMC 2.0 quickly approaches, SSE is your expert in helping maintain and pursue new DoD related projects with confidence.

Let us demonstrate how we can help in preparing your business. Schedule your complimentary CMMC Readiness Assessment to get started.