CMMC is coming, but when can we expect it to become effective?
A lot of assumptions and misinformation surround CMMC’s rollout. This uncertainty has made it challenging for businesses to know how to act.
In order to help you to plan, this article summarizes our best estimates at the current time for when CMMC will be rolled out. We will update this post as more information emerges. Are you interested in learning more? Check out our definitive guide to CMMC!
Two CMMC Rules
CMMC is split between two rules:
- 32 CFR CMMC Proposed Rule: activates the CMMC marketplace and assessments via third-party assessment organizations (C3PAOs)
- 48 CFR CMMC Proposed Rule: activates CMMC language in contracts and the phased rollout
These two proposed rules are at different stages of the review process.
The CMMC Marketplace Should Become Active Before EOY 2024
- The final rule cleared regulatory review on 9/14/24.
- The final rule is expected to be published before the end of September '24.
- The rule will become effective before the end of the calendar year.
CMMC Could Start to Appear in Contracts from Q2 2025
- We estimate that some contracts could start to contain CMMC requirements from May 2025.
- While the DoD has said it hopes to start adding CMMC requirements to contracts from March 2025, this relates only to Level 1 CMMC requirements and is still subject to the as-yet-unconfirmed publication date of 48 CFR.
- CMMC language in contracts will be rolled out in phases over a three-year period.
(timeline last updated 9/17/2024)
Preparing your organization for CMMC
Answering the following questions can help you determine when it is right for your organization to start preparing for CMMC:
- Will you be bidding on new contracts in 2025? We expect CMMC requirements to start appearing in some new DoD contracts from May 2025.
- What is your Prime’s expectation regarding CMMC? CMMC requirements may flow down to you via your Prime.
- What CMMC level do you require?
- Level 1, for contractors dealing only with FCI (Federal Contract Information), requires adherence to 17 controls.
- Level 2, for contractors holding, processing or transmitting controlled unclassified information (CUI), requires you to meet all 110 controls in NIST 800-171A.
- Level 3, which will apply only to companies that handle CUI for DoD programs with the highest priority and are likely to experience advanced persistent threats.
- What is your current state of CMMC readiness? You should allow 3-4 quarters to achieve CMMC readiness and adhere to the 110 controls of NIST 800-171A.
- How do you intend to approach NIST 800-171A compliance (in-house vs. an expert partner)? Your choice of approach will impact your likely timelines for rollout. NIST 800-171A is complex and an experienced expert partner can help you shorten the time to compliance.
- Can you afford to wait? Given the volume of companies that will be seeking C3PAO assessments, and the small number of these organizations that exist, wait times are expected to be long once the marketplace opens.
Remember: Adherence to NIST SP 800-171A has been a requirement for DoD contractors with DFARS 252.204-7012 in their contracts since December 2017.
If you’d like to speak to an expert about your business and CMMC, arrange a complementary consultation.
