The Cybersecurity Maturity Model Certification (CMMC) program journey started back in 2019, which eventually led to DFARS Case 2019-D041. Since then, it has gone through several changes and program evolutions. Nearing 4 years in the making and getting closer to being finalized, companies are wondering what is next. What is the target date for the new rule?
CMMC Rulemaking Timeline
The rulemaking process illustrated in the graphic below shows a high-level workflow from the Government Accountability Office (GAO).
Figure 1: GAO Federal Rulemaking
In Figure 2, Estimated Rulemaking and CMMC 2.1 timeframe shows the 32 CFR and 48 CFR rulemaking timelines. 48 CFR started in March 2024, as communicated to the community by the DoD. The rulemaking process in the diagrams below moves left to right with assumed timeframes calculated based on the rulemaking process and educated guesses. The estimates are in the blue description blocks. Once the rulemaking process has been completed and the effective day arrives, we follow the text in the rule to determine the effective dates. The 48 CFR stated that the DoD anticipates all contract solicitations from October 1, 2026, will have the CMMC requirement in it.
Figure 2: Estimated Rulemaking and CMMC 2.13 timeframe
During the February 2024 CyberAB Town Hall, the CyberAB presented their timeline for the rulemaking process, as seen in Figure 3, estimating that October 2024 is when the 32 CFR would be issued. They also highlighted that federal elections and the adjournment of the 118th Congress may influence the rulemaking process.
Figure 3: Estimates from the CyberAB February 2024 Town Hall
When the final rule has been published and the 30–60-day effective date is up, then it will be a requirement, right? Well, this is where it gets complicated, or should I say more complicated. The rule gives the framework for what is required, but now the assessors need education, training, and certification to conduct assessments. The CyberAB has a sub-organization called the Cybersecurity Assessor and Instructor Certification Organization (CAICO) that will need to update the blueprints for the Certified CMMC Professional (CCP) and the Certified CMMC Assessor (CCA) training. After the blueprints have been updated, the exam needs updating, and delta training needs to be offered to existing CCP and CCA personnel so that they understand the differences in the CMMC models (CMMC 2.0 vs 2.13). Then, delta training needs to be offered to existing CCP and CCA personnel so that they understand the differences in the CMMC models (CMMC 2.0 vs. 2.13). The C3PAOs may also need to update their assessment procedures under ISO 17020 and provide their assessment teams training on the changes.
Now we are ready, correct?
Not quite. Every Licensed Publishing Partner (LPP) in the ecosystem will need to update their CCP and CCA training, send it to ProCert for verification, and then, once approved, use that new content for education and training for new CCP and CCA candidates. While the assessments can happen, it is unlikely that there will be enough educated and trained personnel to conduct the assessments.
Okay, let’s get the assessments going!
There is one final thing that comes into play here. The DFARS 252.204-7021 rule must be inserted into a contract (new awards, recompete awards, and potentially option year contracts) by the contracting officer. During the phase-in period, the contracting officer will decide if they should insert the clause into the contract or not. Based on the rulemaking, other clauses will be added as well, and it is assumed that the additional clauses will provide the specifications as to which CMMC level the contractor must obtain.
Call to Action
Many companies have been holding off on their implementation of a cybersecurity compliance program to meet the 7012 clause because they are linking it directly to the CMMC rulemaking; others have a program in place and are wondering when they may need to get the DFARS 252.204-7021 (CMMC requirement) clause inserted into their contracts. Most, if not all, contracts have the 7012 clause as a requirement today, so there should be no hesitation in implementing a compliance program for your organization.
The program implementation estimates are 6-9 months from the DoD and 12-18 months from industry. If we look at the rulemaking process, your organization may be required to get a CMMC certification as soon as April 2025. If we roll that back 12 months, that means April 2024 was the timeframe for starting to work on putting together a program.
If you need to rely on a third party to set up a program, the longer you wait, the less likely they will be available to help, or the more it will cost to rush the order. The contractor will still be required to implement a NIST SP800-171 program under the 7012 clause, conduct a self-assessment using NIST SP800-171A and the DoD Assessment Methodology. and then upload their score to the Procurement Integrated Enterprise Environment (PIEE) Supplier Performance Risk System (SPRS) under the DFARS 252.204-7019 clause to be considered for award. The contractor may need to allow the Defense Contract Management Agency (DCMA)/ Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to perform their own moderate or high assessment following the 7020 clause. The contracting officers will follow the DFARS 252.204-7024 clause to look at the scores in the SPRS system as part of the award determination.
Government Compliance Workshops and Services to Get You Ready
Everyone agrees that the rules are complicated. The bottom line is that prime contractors can begin to include CMMC 2.0 in contracts as early as January 2025. Once that happens, experts at every level of the compliance chain will be in short supply. Together with our partner, Critical Prism Defense, we have the certifications and qualifications to guide you through the entire CMMC 2.0 compliance process.
You can start with our Government Scoping Workshop. It’s a first step to scope your environment in the compliance program. This Workshop assists with determining which requirements your organization needs to follow and uncovers sensitive information you may be creating, processing, storing, or transmitting. If you’re further along, we offer a Government Implementation Workshop, which walks you through a detailed plan of how your organization can achieve compliance.
Migration services are obviously critical. Daymark has the proven expertise to migrate data from your current environment to Microsoft’s Government Cloud, leveraging Microsoft-authorized GCC, GCC High, and Azure Government licenses. This can include:
- Deployment of Entra ID, Intune, Defender, and Microsoft Purview Information Protection to solve various security and compliance controls.
- CMMC Compliance Services:
- CMMC Gap Analysis
- Comprehensive Documentation, including SSP and POA&M
- CMMC Readiness Assessment
- Tabletop Exercises
These are just some of the many ways we can help you quickly prepare for CMMC deadlines. Contact us today to get started..
