CMMC may be delayed – But it’s not going away. Here is what you still need to do now……

crorring through railway with red sygnal lights in winter

As you have likely heard, CMMC Rulemaking will be delayed for at up to a year due to additional Government entities review and approval. The Government may also be looking at improving requirement consistency and standardizing those requirements so that they can also be applied to non-DOD agencies. However, it is certain that DoD prime contractors will still require members of their supply chains to at least self-certify well before rulemaking completes, as they cannot afford to wait until that eventuality. Therefore, we urge all of you to continue your progress towards obtaining or maintaining NIST 800-171 compliance.

The bright side is that you have a little more time to get ready, so the focus should be on what we know will be required. One thing that we know will be required is the audit trail. It is important that you start the required processes now so you can build a repository of artifacts to show a history of compliance. This is required of all audits and is specifically called out by CMMC, and we are confident that requirement is not going anywhere.

Another key requirement is that you will need to be NIST 800-171 compliant, as that will be the minimum required. It is already in place for most DoD contracts, and depending on your FARS Clause you are required to calculate a SPRS score, which is based on NIST 800-171 Rev. 2 compliance. If you don’t do this now, you will likely need to soon, so you may as well get started. It is also a great way to evaluate your overall security posture since this is why we do this in the first place. BSC can help you with this by independently calculating your score and providing gap mitigation. We can also help put together a NIST 800-171 compliant System Security Plan if you don’t have that in place that is definitely going to be a part of any CMMC requirements as it is already for SPRS.

So, once again, let’s get started on the certain tasks and this will greatly ease your workload when the final rules come down. One of the reasons for the delay is that DoD wants to make the process more friendly to small businesses. Our determination is that when this rulemaking is final, all low to moderate-risk Level 2 organizations might only be required to provide a SPRS score along with more detailed documentation, such as the Security Plan and Policies and Procedures, rather than undergo a C3PAO assessment. We think the CMMC-AB likely was too aggressive, and the DoD is reeling them in because there simply won’t be enough C3PAOs to perform the thousands of assessments. We believe if you are compliant with NIST 800-171 and have the artifacts in place to prove it, you will weather any changes in CMMC smoothly.

How can BSC Systems Help?

BSC is helping small and medium-size businesses prepare for CMMC changes including demonstrable compliance with NIST 800-171. We have a proven track record of helping businesses of all sizes meet these requirements. Contact us for a list of references. As a Cyber-AB Registered Practitioner Organization, we have tools, templates and the expertise ready to be tailored for your organization and other support to help you establish a compliant and more secure environment. Give us a call or send us an email for a free one-hour consultation to discuss your needs. Call Philip Norton at (703) 405-7131 or email me at Also visit our web site at