The Cybersecurity Maturity Model Certification (CMMC) Program is poised to explode within the next year, and many new consultants and Assessors will be necessary to meet the needs of the program.
On December 26, 2023, the United States Department of Defense (DoD) issued its long-awaited proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule). CMMC is designed to assess defense contractors’ compliance with cybersecurity requirements that are already in their contracts.
Timeline for the Projected Need
The regulation that establishes the CMMC Assessment program is expected to go final in early 2025. While the DoD projects a modest initial rollout, based on their expected phase-in of CMMC contract requirements, knowledgeable CMMC leaders believe that there will be a significant, immediate surge in the number of companies wanting Assessments. There are three main reasons:
-
Prime contractors need the sub-contractors in their supply chain to be ready BEFORE the requirement appears in contracts.
-
External Service Providers (ESPs) need to be assessed BEFORE any Defense Industrial Base (DIB) contractors they support.
-
Some DIB contractors will want to differentiate themselves from their competition early in the CMMC rollout process and position themselves as pre-qualified for DoD CMMC contract requirements.
You want to get started on your CMMC training as soon as possible so that you can be there for that initial surge.
Should You Postpone Training Until the Rule Is Final?
No, don’t wait. DIB organizations need help now to prepare for Assessments, and there is a real need for more qualified consultants and Assessors to help the program be successful.
It takes time to go through the training and then study for the certification exam. The sooner you get started with your training, the earlier you will be able to help DIB organizations prepare for their Assessments, plus you’ll be ready to be part of Assessment Teams when the demand for CMMC Assessments surges in early 2025.
In addition, the core of the CMMC curriculum (the NIST SP 800-171 requirements and how to assess them) will NOT change with the final rule. Details about the CMMC Program will likely change (for example, CMMC ecosystem requirements, and certain Assessment Process details such as dispute resolution). But those things will easily be learned “on the fly” through participation in the ecosystem, or may be covered through continuing education classes from The Cyber AB.
The CMMC exams won’t change, and therefore the CMMC curriculum won’t change until at least six months after the rule goes into effect. If you delay your training, you won’t be able to participate in the CMMC Program until approximately one year after the initial surge of Assessments.
Logical Operations: Your Partner in CMMC Compliance
Logical Operations is a Licensed Partner Publisher (LPP) for the CMMC Program. LPPs provide Licensed Training Providers (LTPs) and other training delivery organizations with materials designed to help Organizations Seeking Certification (OSCs) design and implement successful CMMC compliance programs. Partnering with Logical Operations ensures access to valuable resources and expertise in navigating the CMMC landscape.
Interested in learning more? Contact Tuuli Eaton at: tuuli.eaton@logicaloperations.com
For additional information on the certification process:
This article has been written by Nancy Curtis, VP, Content at Logical Operations and edited by Michelle Farney.
