CMMC: RTFM Edition Pt. 1/823

The rumor mill is ablaze with speculation regarding possible changes to CMMC at both the program and model level. The DoD has provided precious little information about the rumored changes; however, one theme has remained constant: making sure that a beneficial balance is struck for both the department and industry.

One of the only places where the department has documented their rationale is in the Federal Register during the rulemaking process. It often comes as a surprise to people that the DoD has preemptively provided their rationale for various decisions which are judged to be unreasonable/draconian/obstinate/etc.

A good example is the DoD's thinking regarding the timing of certification:

"The Department took into consideration the timing of the requirement to achieve a CMMC level certification in the development of this rule, weighing the benefits and risks associated with requiring CMMC level certification:

1. At time of proposal or offer submission; or

2. At time of award; or

3. After contract award.

The Department ultimately adopted alternative 2 to require certification at the time of award.

The drawback of alternative 1 (at time of proposal or offer submission) is the increased risk for contractors since they may not have sufficient time to achieve the required CMMC certification after the release of the Request for Information (RFI).

The drawback of alternative 3 (after contract award) is the increased risk to the Department with respect to the schedule and uncertainty with respect to the case where the contractor is unable to achieve the required CMMC level in a reasonable amount of time given their current cybersecurity posture. This potential delay would apply to the entire supply chain and prevent the appropriate flow of CUI and FCI."

Recall that in the lead-up to the interim rule, the DoD verbally maintained that CMMC Certification would be required pre-bid (option 1 above). Many are concerned with the requirement to get certified at the time of award and feel that it should change. However, given the criterion of striking a balance for both industry and the the department, the question becomes "how likely is the DoD to change what's in the interim rule?" instead of "why didn't the DoD think of this already?".

Quite often, suggestions and arguments emerge from industry which have already been reasonably addressed by the DoD. As a result, the DoD would need to depart from its rationale in order to accommodate various changes. Historically this has not occurred in response to many of the same arguments we are wrestling with today (cost, burden, impact, etc.). Yet, it is valuable to understand the documented perspective of the DoD in order to contextualize possible (let alone probable) changes.

There are hundreds of elements of CMMC that could possibly be changed in some manner. Yet, few changes would constitute tangible differences on the ground of the defense industrial base. Familiarity with DoD's thinking on various matters as documented in the Federal Register is a key input for forming better suggestions and focusing on the elements of CMMC that are most impactful and most likely to change.