DoD Proposed Timeline for CMMC
Update 10/15: The final CMMC 2.0 rule is here The Cybersecurity Maturity Model Certification has been officially published into the federal register as a final rule on October 15th. What does this mean for your organization? With this final rule, contractors must take immediate action to protect CUI and align with regulatory requirements! If your business needs guidance on navigating the complexities of CMMC 2.0, CorpInfoTech is here to help.
What is CMMC? The CMMC proposed rule will require any contractor working within the Defense Industrial Base (DIB) that handles controlled unclassified information (CUI) to undergo a third-party assessment to ensure certain security measures are taken to stop sensitive data from falling into the wrong hands. The CMMC model consists of three "maturity levels" that build upon the previous one with NIST SP 800-171 being its foundation.
The CMMC program is intended to be implemented in four phases:
The CMMC Final Rule becomes effective on December 16, 2024, at which point C3PAO assessments can begin. This rule empowers the DoD to incorporate CMMC into contracts once the 48 CFR Acquisition Rule is finalized, expected in early 2025. Contractors must be ready to demonstrate CMMC compliance starting from Q1 2025.
Phase 1 - (Q1 2025):
DoD will begin requiring CMMC Level 1 self-assessments for contracts involving FCI. In some cases, C3PAO assessments for CMMC Level 2 may also be required for contracts involving CUI.
Phase 2 - (Q1 2026):
Contractors must begin obtaining CMMC certifications for applicable DoD contracts, particularly Level 2 certifications for handling CUI. Specifically Level 2 (C3PAO) certifications will only be considered valid for these applicable contracts.
Phase 3 - (Q1 2027):
CMMC certifications will be mandatory for all new DoD contracts, with Level 2 or Level 3 compliance depending on the sensitivity of the information. This will be determined by the DoD/Contracting Officer at the time of solicitation or option period.
Phase 4 - (Q1 2028):
Full implementation of CMMC 2.0 across all applicable DoD contracts, including option periods, will be enforced.
By 2028, all contractors involved with DoD contracts at all levels will need to meet CMMC requirements to be eligible for awards.
The DoD is not governing or restricting when CMMC requirements are placed in contracts by prime contractors or subcontractors. Many DoD Contractors are using capture planning techniques now to identify the subcontractors capable of CMMC compliance requirements now for RFPs that are in the future.
CMMC Timeline
While many may be tempted to think that CMMC is still several years away from full implementation, that doesn't mean organizations should wait to pursue compliance. As a reminder, the CMMC rule is the DoD's way of assessing compliance to the controls outline in NIST 800-171 framework contractors have been required to adhere to since 2017.
For those organizations that know their SPRS score they are ahead of the curve. For those who haven't begun their compliance journey, the time is now.
As a certified RPO with the Cyber AB, CorpInfoTech is fully capable of aiding SMBs in achieving CMMC compliance on time, on budget, and with tangible results. Contact us today to learn more!