Update 6/24: On June 27th, 2024, the Department of Defense finished their review and adjudication of the CMMC "proposed rule" and have sent it to OIRA as a "final rule". OIRA has 90 days to review this final rule, which means that CMMC should be published to the federal register in October of 2024.
The road to finalizing the Cybersecurity Maturity Model Certification, or CMMC, has been a long one. However, the U.S. Department of Defense (DoD) has proposed a new timeline for when contractors may begin seeing CMMC appear in their contracts.
What is CMMC? The CMMC proposed rule will require any contractor working within the Defense Industrial Base (DIB) that handles controlled unclassified information (CUI) to undergo a third-party assessment to ensure certain security measures are taken to stop sensitive data from falling into the wrong hands. The CMMC model consists of three "maturity levels" that build upon the previous one with NIST SP 800-171 being its foundation.
In December of 2023, the DoD issued CMMC as a proposed rule and included an estimated timeline for the implementation of CMMC. The CMMC program is intended to be implemented in four phases:
Phase 1 -
The first phase will begin on the effective date of DoD's final CMMC rule. During this phase, CMMC level 1 and 2 self-assessments will be required in order to win a contract. Depending on the contract, the DoD may require third party assessments in the event CUI is involved for those under CMMC level 2.
Phase 2 -
6 months after phase 1, phase 2 will begin by requiring third-party assessments for any contractors seeking CMMC level 2 contracts. This third-party assessment must be done by a C3PAO capable of assessing for CMMC compliance.
Phase 3 -
The third phase of the CMMC rollout will begin one year after phase 2 begins. During phase 3, the DoD will extend CMMC level 2 assessment requirements to contracts awarded prior to the finalization of the CMMC rule.
Phase 4 -
One year after phase 3 begins, the implementation of CMMC will be fully completed. The DoD will include the CMMC rule in all of their contracts that are applicable.
Are there any specific dates that contractors can expect this process to start? Considering CMMC was entered into the federal registry as a proposed rule on December 26th, 2023, the estimated timeline would look something like this:
Phase 1 - December 26th, 2024 (One year after the proposed rule)
Phase 2 - June 26th, 2024 (6 months after phase 1 begins)
Phase 3 - June 2026, 2024 (1 year after phase 2 begins)
Phase 4 - June 26, 2027 (full implementation, one year after phase 3 begins)
Note that this timeline is subject to change and shift. In fact, it seems that the DoD is seeking to speed up implementation making compliance necessary much sooner. Organizations should seek out C3PAO's and CMMC compliant MSPs to begin the audit process. It is possible that we could see phase one beginning as early as November of 2024.
While many may be tempted to think that CMMC is still several years away from full implementation, that doesn't mean organizations should wait to pursue compliance. As a reminder, the CMMC rule is the DoD's way of assessing compliance to the controls outline in NIST 800-171 framework contractors have been required to adhere to since 2017.
For those organizations that know their SPRS score they are ahead of the curve. For those who haven't begun their compliance journey, the time is now.
As a certified RPO with the Cyber AB, CorpInfoTech is fully capable of aiding SMBs in achieving CMMC compliance on time, on budget, and with tangible results. Contact us today to learn more!