CMMC Deadlines May Be Delayed Due to Lack of Assessors


The Cybersecurity Maturity Model Certification (CMMC) is essential for any company that does business with the Department of Defense (DoD). The premise behind the CMMC is a good one: it’s a way for the DoD to ensure that cybersecurity contractors complied with certain mandatory practices, effectively ensuring that they are secure and can adapt to cyber threats.

When the creation of the new security framework was announced, it was stipulated that all contractors would be assessed by 2023. Unfortunately, it seems as though this will be heavily delayed, as there is a huge backlog of companies that need to be assessed. For context, around 300,000 contractors are being affected by the CMMC implementation and will need to receive CMMC assessments from an accredited assessor.

Why is everything taking so long, and is there an end in sight?

A Lack of Third-Party Assessors

The key problem has been identified by the CMMC accreditation body as a lack of third-party assessors. For contractors to be approved and earn the certification, they must be assessed and reviewed. The issue is that there are currently very few CMMC assessors available.

Shockingly, only one company was approved as a certified assessor in May 2021, with three more added since then. This means 4 companies are responsible for conducting the CMMC assessments, but there are still only 100 assessors available. With the 2023 deadline only two years away, it is highly likely that the final CMMC rollout will take much longer than initially expected.

100,000 Assessments Needed Per Year

The goal is to have 100,000 assessments per year from now through to the end of 2023. That would account for all of the current DoD cybersecurity contractors, but is this currently possible given the lack of assessors?

In the current state, 100 assessors would each need to do 1,000 assessments to meet this target. That equates to just under 3 per day, which is an impossible task given how thorough these assessments should be.

Instead, a founding member of the CMMC accreditation body has stated that they need to reach at least 5,000 assessors to reach the target of 100,000 assessments completed per year. That’s 50 times the current amount, which in itself is a monumental task.

When Can The Final CMMC Rollout Be Expected?

As of right now, it is impossible to tell. If all goes according to plan, 5,000 assessors can be found and the target of 100,000 a year could be reached, meaning you might see things roll out at the end of 2023.

However, this is wishful thinking and it relies on everything going smoothly from now. The fact remains there are currently only 100 assessors, so applications are going extremely slow right now. Until more assessors are hired, it’s unknown when the rollout will happen. If you do business with the DoD and need CMMC certification, it would be wise to expect it beyond the 2023 estimate.

The biggest problem of all is that the DoD needs CMMC-accredited contractors to ensure cybersecurity operations are as tight and secure as possible. Heavy investment is needed in the training of assessors before anything can really go ahead. It’s a tough situation for everyone, and it doesn’t look like it will be resolved any time soon.