ATTENTION GOVERNMENT CONTRACTORS!
For those of you who contract to the DoD or Department of Education – or are a vendor to those who are, this will apply to you sooner; for other executive branch agencies, it will take a little longer.
The section of Title 32, the part of the Code of Federal Regulations that the DoD uses to define what DoD contractors and their subs have to do, to protect sensitive information, has been released by the Office of Management and Budget to be published in the Federal Register. That could happen in the next week.
There was an agenda here. Once it is published, Congress has 60 days to create and pass a bill to tell DoD that this regulation is nullified. Given the current Congress, even if they wanted to, that is highly unlikely to happen.
It has been less than 9 months since the proposed rule was published, less the 60 day public comment period, that means that they reviewed and processed the 1800 comments they got in 7 months. That means that it is highly unlikely that anything significant changed between the proposed final rule and the final rule.
That means that the effective date for CMMC could be within 60 days. IT **COULD** START APPEARING IN RFPs AFTER THAT. NOT GUARANTEED, BUT IT COULD – DOD HAS ACTUALLY SAID THAT.
Given that it is likely to take you a year or more to get ready to get certified and the fact that the few certifiers that are out there are not booking new assessments until second quarter 2025, if you have been waiting, now might be a good time to stop waiting.
Here is a link to the news.
But wait, there is more.
The Department of Education has been, informally, telling folks that it, too, has to comply with Executive Order 13556, which is the EO that effectively requires the executive branch to comply with NIST SP 800-171. They have been telling vendors that process student loan data that the data is considered Controlled Unclassified Information (CUI) and they have to handle it that way. That means complying with NIST SP 800-171.
That also means that colleges and universities who process student loan data for federally guaranteed loans also have to comply with 800-171. Read the reginfo here.
If you think defense contractors are not ready to comply with 800-171, consider this.
The Department of Justice is currently suing two universities not for being uncompliant with 800-171, but for lying about being compliant with it.
If federal government dollars is important to your business, either directly or indirectly (prime or sub), and you are not actively working on your 800-171 compliance program, you are behind and you need to get started right away.
If you need help, contact us. We have a very cost effective way to do that.