The end of 2024 and the start of 2025 have seen some key updates to the finalization of the Cybersecurity Maturity Model Certification (CMMC) 2.0’s maturity level framework and contract requirements. This blog post covers the latest updates defense contractors should know and their impact on the projected timeline for CMMC 2.0 implementation.
Key Takeaway: The final rule which implements CMMC requirements into defense contracts is expected to become effective somewhere in late Q2 or early Q3 of 2025. Once this happens, contractors will have to achieve their CMMC Certificate of Status before being awarded new defense contracts.
New CMMC 2.0 Updates: Progress on the Final Rules
CMMC 2.0 has two rules associated with it: 32 CFR and 48 CFR.
- CMMC 32 CFR establishes the revised maturity levels for the CMMC framework and methods of assessment.
- CMMC 48 CFR mandates the inclusion of CMMC requirements into U.S. Department of Defense (DoD) contracts, meaning contractors must prove their adherence to NIST SP 800-171A before being awarded the contract.
Both CMMC 32 and 48 CFR have reached (or are reaching) major milestones:
|
CMMC 32 CFR |
CMMC 48 CFR |
|
Latest Update: The DoD published the CMMC final rule for 32 CFR in the Federal Register on October 15, 2024. The CMMC program and marketplace is now officially active. |
Latest Update: Published into the Federal Register on August 15, 2024. The public comment period was open until October 15, 2024. |
|
Date of Finalization: December 16, 2024 |
Estimated Finalization: Q2-Q3 2025 |
The CMMC 2.0 Implementation Timeline
With the updates to the CMMC 32 and 48 CFR rules, the CMMC timeline has become much clearer. While there are still variables at play that can change specific dates, this timeline is a solid estimate:
How the Phased Rollout Works
The DoD developed a three-year, phased rollout of CMMC “to minimize the economic impact to the industrial base… and disruptions to the existing DoD supply chain.”
For the first three years, CMMC requirements will be included in “certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement.” We anticipate the rollout will begin with Level 1 requirements at the beginning, then move to start including Level 2 requirements by the end of 2025. DoD contractors seeking Level 3 certification will need to achieve a CMMC Level 2 Certificate of Status first to demonstrate their eligibility.
By the fourth year, all DoD contracts or solicitations will include a CMMC assessment requirement for contractors who process, store, or transmit FCI or CUI – with no exceptions.
When CMMC Compliance Will Be Required in Contracts
With the 48 CFR rule update, we are encouraging contractors to expect the phased rollout to begin at some point in Q2 or Q3 of 2025. However, by 2028, CMMC assessment requirements will be included in all DoD contracts.
Average Time to Reach CMMC 2.0 Compliance
It is hard to provide an average CMMC compliance achievement timeline because there are too many variables at play. However, we are encouraging people to allot anywhere between 6-12 months for CMMC preparations.
Will There Be a Grace Period for Compliance with CMMC 2.0?
The Department of Defense will not be offering a grace period for CMMC 2.0 compliance. However, the DoD’s phased rollout is intended to minimize the impact that CMMC implementation has on the defense industrial base (DIB). Companies should take proactive steps to meet CMMC requirements as delays in compliance could pose risks to both contract eligibility and national security.
Will CMMC Replace NIST 800-171?
A common misconception is that CMMC is an additional set of controls/rules that need to be followed. However, the transition from CMMC 1.0 to CMMC 2.0 streamlined compliance by aligning Level 2 entirely with the 110 security requirements in NIST 800-171. This change removed extra CMMC-unique practices and maturity processes, making the framework more in line with existing federal cybersecurity standards.
Is FedRAMP Required for CMMC?
Not directly. But it is important to understand how CMMC aligns with other cybersecurity standards.
NIST SP 800-171 (released in 2013, revised in 2022 & 2024) outlines cybersecurity requirements necessary to protect Controlled Unclassified Information (CUI). CMMC 2.0 verifies adherence to NIST 800-171A Rev2.
DFARS 7012 (released in 2017) has two critical components:
- For all contracts with a DFARS 7012 clause, the contractor must adhere to NIST 800-171 cybersecurity controls.
- For contractors using a cloud service provider (CSP), the CSP must be equivalent to the FedRAMP Moderate baseline.
CMMC 2.0 verifies contractors’ implementation of NIST 800-171A Rev2 cybersecurity controls. While FedRAMP is not required for CMMC 2.0, FedRAMP equivalence is required within DFARS 7012.
Does CMMC Require a SIEM?
CMMC does not explicitly require a Security Information and Event Management (SIEM) software. However, many of the NIST 800-171 controls can be supported through a SIEM due to its ability to support centralized logging, threat detection, and incident responses.
Can You Self-Certify CMMC?
CMMC 2.0 Level 1 allows for self-assessment. However, Level 1 applies to contractors who only handle Federal Contract Information (FCI). If your contracts contain Controlled Unclassified Information (CUI), you most likely will need to achieve Level 2 compliance which requires a third-party assessment from a CMMC 3rd Party Assessment Organization (C3PAO). To achieve certification assessment for Level 2, a Cyber AB authorized assessor will evaluate your cybersecurity practices to ensure they meet the necessary security requirements.
What Level of CMMC Is Needed for CUI?
To handle CUI, prime contractors and subcontractors working with the DoD must meet CMMC Level 2 requirements. This level is designed to ensure that organizations handling sensitive information implement robust cybersecurity practices aligned with NIST SP 800-171. Prime contractors must ensure their subcontractors also comply, as CUI protection flows down the supply chain.
Prepare Your Organization for CMMC 2.0 Compliance with ISI
The journey to CMMC compliance is not linear. There are countless variables, tangible and intangible, that must be accounted for to ensure it is both smooth and successful.
Working with an expert partner like ISI ensures your organization is well-prepared to achieve and sustain your compliance posture. Contact us today to see how ISI can help your business!
