The Department of Defense’s CMMC 2.0 cybersecurity rule has reached the White House OIRA for review—the last step before publication and phased implementation in contracts. This signals that mandatory cybersecurity certification requirements (at least for some contracts) are imminent. Small and mid-tier DoD suppliers should assume self-assessment at minimum and third-party assessments for higher levels will begin appearing in solicitations and options over the coming months. Immediate actions: complete a gap analysis against NIST SP 800-171, implement POA&Ms with realist timelines, harden incident response and log management, and line up a C3PAO if you’ll need Level 2 certification. Expect increased scrutiny from primes on their subs’ readiness and potential re-tiering of supply chains. Budget now for tools, documentation, and audits; it’s cheaper than lost awards. Morris, Manning & Martinprescott.us
Read more: MMM Law recap; Prescott analysis. Morris, Manning & Martinprescott.us