OCTOBER 15, 2024 UPDATE: THE CMMC PROGRAM FINAL RULE HAS BEEN PUBLISHED.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
This CMMC Program Rule mandates that all contractors in the Defense Industrial Base who handle Controlled Unclassified Information or Federal Contract Information must comply with strict cybersecurity standards. While the government’s phased rollout will take time, prime contractors are already expecting CMMC requirements to be met by subcontractors. We encourage you to act now, as the demand for compliance services will grow and strain available resources.
It typically takes organizations anywhere from 6-18 months to prepare for an assessment.
Check your existing contract requirements to determine your appropriate level of CMMC. If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
Speak with an expert here at Summit 7 to get clear next steps for your organization.
As of September 2024 Department of Defense the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations. The delays have been addressed, signaling that contractors need to start preparing for the upcoming CMMC roll-outs—yes, there are two distinct roll-outs to anticipate.
Indeed, there are two separate CMMC rules. (For more details, check out our webinar)
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a final rule on October 2023, officially makes certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
The second rule updates the DFARS contract clause 252.204-7021, which outlines the Cybersecurity Maturity Model Certification Requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, needs revisions to reflect changes from CMMC 1.0, including the reduction from five to three levels, allowances for temporary findings (POAMs), and the introduction of a waiver process.
Once both rules are finalized and effective, contractors will know the required CMMC certification level for specific contracts based on their 7021 clause. The procedures for assessment, including requirements and allowances for temporary deficiencies, will be detailed in Title 32 of the CFR.
THE CMMC PROGRAM FINAL RULE HAS BEEN PUBLISHED.
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
As of September 2024, the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations.
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out" has begun now that the 32 CFR CMMC rule is effective, allowing early adopters and competitors to seek certification voluntarily starting in January 2025, even before the DoD requires it in contracts. Large prime contractors are likely to require their suppliers to get certified, accelerating the market roll-out.
The "phased roll-out" will start once the 48 CFR CMMC rule is finalized, enabling the DoD to include specific CMMC level requirements in contracts and solicitations.
Defense contractors will face mounting pressure to achieve CMMC certification long before it becomes a contractual requirement, with this pressure anticipated to start in Q4 2024.