CMMC Background

Defense contractors handling controlled unclassified information (CUI) have been required to meet the 110 controls of NIST 800-171 since 2017. CMMC will validate compliance with NIST 800-171 through independent assessments conducted by a C3PAO (CMMC Third-Party Assessor Organization).

The DoD has stated that CMMC will be required for virtually all DoD contracts starting on or after October 1, 2025. Here’s what Matt Travis (CEO of Cyber-AB) warned at PreVeil’s CMMC Summit:

The Latest CMMC Timeline

The CMMC Final Rule (CFR 32) became effective on Dec 16, 2024, and CMMC assessments started on Jan 2, 2025.

CMMC Compliance Deadline: When will it be in contracts?

On July 23, the DoD sent CFR 48 to the OMB, and stated that CMMC will be required for virtually all DoD contracts starting on or after October 1, 2025. This is a reasonable expectation given the timeline: OIRA has a 60-day review window that can be extended by an additional 30 days, though that extension is unlikely for this particular rule since it’s simply enforcing existing regulations and is deemed not “economically significant”. It’s also a logical alignment with the start of the government’s new fiscal year.

However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Further, Primes are already beginning to require their subcontractors meet CMMC requirements, ahead of the rule. Here’s what Leidos CISO JR Williamson said on a PreVeil panel,

Defense contractors who are not yet meeting all 110 NIST 800-171 controls should prioritize this immediately if they wish to continue bidding on defense contracts.

Preparing for CMMC Level 2

Given that CMMC will be in contracts in late 2025, you need to get started on your compliance preparations now, as it takes 6-12 months for the average defense contractor to get assessment ready. Doing nothing is not an option. Here’s what Matt Travis said:

If you’re not sure where to start, read our CMMC Guide. For convenience, here are a few ways to expedite your compliance journey:

  1. Use Pre-filled Documentation: Protecting CUI is at the core of NIST and CMMC compliance. However, you also must provide detailed documentation to your CMMC Assessor to prove that you’re compliant. PreVeil offers pre-filled, assessment-validated documentation that covers all 110 controls, including a System Security Plan (SSP). 
  2. Limit POA&MS: Plans of Actions & Milestones (POAMs) describe your plan to meet any controls that are currently unmet. Make sure you are taking steps to address any POAMs and specifying the technologies and procedures you will need to close those gaps. C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for the least critical controls. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.
  3. Leverage Partners: If you get stuck, or don’t have the time or expertise to complete the steps required, you can take advantage of PreVeil’s preferred network of Assessors, Consultants, and Service Providers. They offer a variety of services to help accelerate your compliance journey, and you can have confidence that they were vetted and recommended by the PreVeil compliance team.

According to the current letter of the law, NIST 800-171A, you are already responsible for meeting all of the security standards included in CMMC. If you are not yet fulfilling this obligation, the time to act is now.

Next Steps

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and protect CUI from our country’s adversaries. By getting started on your organization’s compliance journey, you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

To learn more, summarize in AI: