On December 27, 2021, President Biden signed the FY22 National Defense Authorization Act (NDAA) into law, authorizing more nearly 800 billion in defense spending.
The national defense total in the 2022 omnibus spending bill is $782 billion, a 3.9 percent increase over the administration’s request for 2022 and a 5.6 percent increase over the 2021 appropriations. This includes 13.6 billion for emergency military and humanitarian aid for Ukraine as Russia’s deadly war on that country continues.
Good news for small business, the NDAA orders the Pentagon to report on the effects of the Cybersecurity Maturity Model Certification (CMMC) framework on small business concerns. (Sec. 866). The report must detail estimated costs of compliance, expected changes to the number of small businesses in the defense industrial base, and efforts to mitigate negative effects. This provision is a big win for small businesses since it forces the Pentagon to consider the ripple effects to the lower-tiered small businesses as it revamps the CMMC program.
This is important because the Department of Defense (DoD) is planning to release an Interim Rule on the CMMC framework by May 2023, according to Stacy Bostjanick, director of the CMMC (Cybersecurity Maturity Model Certification) program for the DoD.
By July of 2023, CMMC requirements will start appearing in DoD contracts. Businesses now have about one year to earn their CMMC certification to be able to bid on DoD contracts.
If there are no changes to the rule making, Level One will include 17 practices and companies will be allowed to self-certify. While this is good news, it also comes with a warning. In the past businesses were allowed to self-certify, unfortunately many companies did not implement proper cyber security measures and government information was compromised.
With the new changes to CMMC, the DOJ recently announced a new Civil Cyber-Fraud Initiative using the False Claims Act (FCA). If a company self-certifies and has a security breach, they will be investigated. If it determined they did not properly implement CMMC standards, they will be prosecuted. There is also an initiative to pay whistle blowers to tell the government if companies are not implementing, and maintaining, adequate cyber security requirements.
The DoD also lowered the maximum number of practices from 171 to 110 for the levels two and three. These levels will require a third party to certify your business meets CMMC requirements. Less than 100 businesses will need Level 3 certification. Most businesses will only need Level One, but if your business handles Controlled Unclassified Information (CUI), you will need Level Two
If you are currently winning contracts, or want to win contracts, with DoD now is the time to start the process of completing your CMMC certification.
Within the next few years, the majority of federal government agencies will require CMMC certification.
If you have any questions about your next steps, please email us at CMMC@govcontractors.org.
Written by Guy Burns, CSP, CCM, RP, Executive Vice President of Training and Business Development Government Contractors Association.