December has already seen new rules take effect that serve as a precursor to the full CMMC implementation, and the Defense Department is ready to announce the first 15 contracts that will serve as “pathfinders” for the new model. These contracts will demonstrate the first real-world use of the CMMC, moving beyond the non-punitive tabletop exercises acquisition officials have performed so far.
The new rules require vendors bidding on new contracts to use the Supplier Performance Risk System web portal to self-assess their compliance with the security controls in NIST SP 800-171. The certification will be verified by auditors, at least for vendors who have claimed a medium or high score.
