Companies looking to become compliant should have started their security and compliance journey in Q3 of 2023. It takes a company an average of 12-18 months to complete the 7 Steps of CMMC.
OCTOBER 15, 2024 UPDATE: THE CMMC PROGRAM FINAL RULE HAS BEEN PUBLISHED.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
This CMMC Program Rule mandates that all contractors in the Defense Industrial Base who handle Controlled Unclassified Information or Federal Contract Information must comply with strict cybersecurity standards. While the government’s phased rollout will take time, prime contractors are already expecting CMMC requirements to be met by subcontractors. We encourage you to act now, as the demand for compliance services will grow and strain available resources.
Here's what you need to know about when CMMC compliance will be required:
- The CMMC Program Final Rule was published on October 15, 2024.
- It takes a 50 person company an average of 6-12 months to prepare for a CMMC assessment.
- CMMC assessments will be available in Q1 2025.
- The phased roll out of CMMC as a contractual requirement will begin around Q3 of 2025.
How long does it take to get CMMC compliant?
It typically takes organizations anywhere from 6-18 months to prepare for an assessment.
How do I know if I need to be CMMC compliant?
Check your existing contract requirements to determine your appropriate level of CMMC. If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
What should I do next to become CMMC compliant?
Speak with an expert here at Summit 7 to get clear next steps for your organization.
Then, download our CMMC Readiness Brief for an overview of the steps required for CMMC compliance.
What is the CMMC Compliance Deadline Update for 2024?
As of September 2024 Department of Defense the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations. The delays have been addressed, signaling that contractors need to start preparing for the upcoming CMMC roll-outs—yes, there are two distinct roll-outs to anticipate.
Are There Two CMMC Rules?
Indeed, there are two separate CMMC rules. (For more details, check out our webinar)
What is the 32 CFR CMMC Rule?
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a final rule on October 2023, officially makes certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
What is the 48 CFR CMMC Rule?
The second rule updates the DFARS contract clause 252.204-7021, which outlines the Cybersecurity Maturity Model Certification Requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, needs revisions to reflect changes from CMMC 1.0, including the reduction from five to three levels, allowances for temporary findings (POAMs), and the introduction of a waiver process.
Once both rules are finalized and effective, contractors will know the required CMMC certification level for specific contracts based on their 7021 clause. The procedures for assessment, including requirements and allowances for temporary deficiencies, will be detailed in Title 32 of the CFR.
When Will CMMC Be Published?
THE CMMC PROGRAM FINAL RULE HAS BEEN PUBLISHED.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
As of September 2024, the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations.
The Pressure is Coming: Two CMMC Rollouts
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out" has begun now that the 32 CFR CMMC rule is effective, allowing early adopters and competitors to seek certification voluntarily starting in January 2025, even before the DoD requires it in contracts. Large prime contractors are likely to require their suppliers to get certified, accelerating the market roll-out.
The "phased roll-out" will start once the 48 CFR CMMC rule is finalized, enabling the DoD to include specific CMMC level requirements in contracts and solicitations.
Defense contractors will face mounting pressure to achieve CMMC certification long before it becomes a contractual requirement, with this pressure anticipated to start in Q4 2024.
