For a new DoD contractor requirement that is supposedly being released in January, just a few weeks from now, the industry and the DoD sure have seemed quiet about the CMMC. Have any of you been taking preparatory steps? Have any good resources besides the draft and FAQ (https://www.acq.osd.mil/cmmc/faq.html) ? The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.
(https://www.acq.osd.mil/cmmc/faq.html) ? The FAQ says the first version will be released in January and then implemented as a requirement starting in June, which is a pretty quick time frame considering they haven't even specified how third party assessors become certified to issue CMMCs.
This is gonna get VERY interesting. Recalling that DoD is still doing a shoddy job of enforcing the individual certifications requirements under 8570, I will be watching for how long it takes them to actually put the CMMC into contracts and enforce them for companies.
This is certainly going to become very interesting indeed - the Australian Government are doing a similar scheme via the IRAP certification to ensure that Federal Government agencies comply with mandated controls. Someone is going to be making a lot of money, and the rush to get certified will generate a lot of jobs for years to come.
Well I assure you this is happening. They have come to the realization that the initial aggressive timeline was a bit too unrealistic but you can expect CMMC to be in about 15 "pathfinder" contracts in the fall time frame with that flowing down to about 100 suppliers below. There will be opportunities to 3PAO's, individual and organizations, to perform the assessments. Biggest thing I see now are the snake oil salesmen out trying to tell folks they can sell you something to make you CMMC compliant, ummmmm no......
@TXWayne This is interesting, whilst the Australian Security Directorate, have told all those who went through the IRAP certification process, that the certification for Cloud will be dropped in July 2020. The rationale is to open up competition - more likely a lot more work by the Agencies themselves to verify whether or not they should be using cloud services from those entrepreneurs, who may have very little regard for security & privacy.
A big headache coming up I reckon.
The rule will be final at the end of this month. This is getting real.
I'm working for a company that has been doing NIST 800-171 assessments and is already doing CMMC assessments. We are in line to be a CMMCAB Registered Practitioner.