Intended to be a unifying standard for the implementation of cybersecurity across the defense industrial base (DIB), the CMMC’s requirements are already being felt even though the program is not yet fully operational. For example, as of November 30, 2020, all government contractors with a DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, clause in their contracts were required to conduct a self-assessment of NIST SP 800-171 standards and enter their results into the Supplier Performance Risk System (SPRS). COVID-19 and other challenges arose in 2020, resulting in delay to the program and critical delays in staffing assessors. Despite these delays, some DoD contracts moved forward with CMMC pilot programs in 2021, such as the Space Force, which added such requirements to a broadband global area network request for information.
Source:
- Alston & Bird: Department of Defense’s CMMC: Where Is It Now?
