C3 has merged with Ingalls Read Press Release >>

Our Take: The C3 Compliance Advisory Services Team Discusses the CMMC Proposed Rule

In this ongoing blog, members of the C3 Compliance Advisory Services Team discuss details of the CMMC Proposed Rule and make recommendations for members of the Defense Industrial Base.

Make Your Voice Heard, Get Your House in Order: The Public Comment Period and Possible Options for Your Next Steps with CMMC.

By: Collin Overby, C3 Policy Analyst

The industry has waited for years, and in December 2023 the day finally arrived: the CMMC 2.0 proposed rule dropped, and the impact is already being felt throughout the Defense Industrial Base (DIB). Large primes and smaller subs are officially on notice – if your firm holds Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), you will be impacted by CMMC.

A release of this magnitude has made many smaller firms feel like tiny cogs in an unwieldy, and unyielding system. But the public comment period exists, and it exists for a reason: it’s the DIB’s opportunity to help shape CMMC into its most useful format. Firms are actively encouraged to make use of this comment period and to provide feedback that will help the DoD strike the balance between two important (and necessary) goals: 1) bolstering the cyber hygiene of the DIB as a whole; and 2) maintaining an open and diverse base of product and service providers, regardless of size. Before the dust settles, and the final rule is issued, you can (and potentially should) make your voice heard in a constructive and purposeful way.

Then, it’s time to ‘get your house in order’ if you haven’t already begun. A starting point could begin with making an honest assessment of your ability to understand the compliance requirements and implement the technology and policy that will be necessary to meet CMMC requirements. Many companies will find it beneficial to outsource much of these compliance requirements to an External Service Provider (ESP) that specializes in service, experience and scalability in compliance.  My company, C3 Integrated Solutions, is a leading ESP in this market.

It’s likely later than you might think – and the future of a company could very well hinge on its ability to comply with CMMC at the appropriate level. Compliance typically takes at least 12 months for companies that have not already made investments toward that goal.  It is likely prudent to begin to strategically position the role and responsibilities of the ESP, and specifically a compliance ESP, within your CMMC compliance planning, before it is codified in its final version.