There have been some key updates to the finalization of CMMC 2.0’s maturity level framework and contract requirements. Most importantly, both components of the CMMC rules are closing in on being finalized.
The key takeaway is to expect CMMC requirements to start appearing in contracts as early as Q2 of 2025.
New CMMC 2.0 Updates as of August 2024
CMMC 2.0 has two rules associated with it: 32 CFR and 48 CFR.
- CMMC 32 CFR establishes the revised maturity levels for the CMMC framework and methods of assessment.
- CMMC 48 CFR mandates the inclusion of CMMC requirements into DoD contracts, meaning contractors must prove their adherence to NIST 800-171A before being awarded the contract.
Both CMMC 32 and 48 CFR reached major milestones this summer, see below:
CMMC 32 CFR |
CMMC 48 CFR |
|
Latest Update: Cleared regulatory review on September 14, 2024. Final rule is expected to be published into the Federal Register by the end of September 2024. |
Latest Update: Published into the Federal Register on August 15, 2024. The public comment period is open until October 15, 2024. |
Estimated Time to be Codified: November 2024 |
Estimated Finalization: Q2 2025 |
The CMMC 2.0 Timeline
With the updates on the CMMC 32 and 48 CFR rules, the CMMC timeline has become much clearer. While there are still variables at play that can change specific dates, this timeline is a solid estimate:
How the Phased Roll Out Works
The DoD developed a three-year, phased rollout of CMMC “to minimize the economic impact to the industrial base… and disruptions to the existing DoD supply chain.”
For the first three years, CMMC requirements will be included in “certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement.” We anticipate the rollout will begin with Level 1 requirements at the beginning, then move to start including Level 2 requirements by the end of 2025.
By the fourth year, all DoD contracts or solicitations will include a CMMC requirement for contractors who process, store, or transmit FCI or CUI – with no exceptions.
When CMMC Will Be in Contracts?
With the 48 CFR rule update, we are encouraging contractors to expect the phased rollout to begin at some point in Q2 2025. However, by 2028, CMMC requirements will be included in all DoD contracts.
Average Time to Reach CMMC 2.0 Compliance
It is hard to provide an average CMMC compliance achievement timeline because there are too many variables at play. However, we are encouraging people to allot anywhere between 6-12 months for CMMC preparations.
Will There Be a Grace Period for Compliance with CMMC 2.0?
As of now, there is no statement from the DoD regarding an official grace period for CMMC 2.0 compliance. However, the DoD’s phased rollout is intended to minimize the impact that implementation has on the industrial base.
Will CMMC Replace NIST 800-171?
A common misconception is that CMMC is an additional set of controls/rules that need to be followed. However, CMMC solely focuses on the implementation of the 110 NIST 800-171A rev2 controls.
Is FedRAMP required for CMMC?
Not directly. But it is important to understand how CMMC aligns with other cybersecurity regulations.
NIST SP 800-171 (released in 2013, revised in 2022 & 2024) outlines cybersecurity measures to protect Controlled Unclassified Information. CMMC 2.0 verifies adherence to NIST 800-171A Rev2.
DFARS 7012 (released in 2017) has two critical components:
- For all contracts with a DFARS 7012 clause, the contractor must adhere to NIST 800-171 cybersecurity controls.
- For contractors using a cloud service provider (CSP), the CSP must be equivalent to the FedRAMP Moderate baseline.
CMMC 2.0 verifies contractors' implementation of NIST 800-171A Rev2 cybersecurity controls. While FedRAMP is not required for CMMC 2.0, FedRAMP equivalence is required within DFARS 7012.
Does CMMC Require a SIEM?
CMMC does not explicitly require a Security Information and Event Management (SIEM) software. However, many of the NIST 800-171A controls can be supported through a SIEM due to its ability to support centralized logging, threat detection, and incident responses.
Can you Self-Certify CMMC?
CMMC 2.0 Level 1 allows for self-assessment. However, Level 1 applies to contractors who only handle Federal Contract Information (FCI). If your contracts contain Controlled Unclassified Information (CUI), you most likely will need to achieve Level 2 compliance which requires a third-party assessment from a CMMC 3rd Party Assessment Organization (C3PAO).
Prepare Your Organization for CMMC 2.0 Compliance with ISI
The journey to CMMC compliance is not linear. There are countless variables, tangible and intangible, that must be accounted for to ensure it is both smooth and successful.
Working with an expert partner like ISI ensures your organization is well-prepared to achieve and sustain your compliance posture. Contact us today to see how ISI can help your business!
