On 5/17/2024, the 48 CFR CMMC Rule, which will revise the DFARS clause in contracts (252.204-7021), reached the OMB’s Office of Information and Regulatory Affairs (OIRA). This signifies continued progress towards mandatory CMMC compliance in DoD contracts by Q1 2025.

CMMC History

CMMC is comprised of the same 110 controls that lie at the core of NIST 800-171’s; The only difference between CMMC and NIST 800-171 is that CMMC will require a third party assessment conducted by an independent C3PAO (CMMC Third-Party Assessor Organization).

Defense contractors handling controlled unclassified information (CUI) have been required to meet NIST 800-171 since 2017. Thus the question here isn’t when defense contractors will need to meet CMMC standards – they’ve been required to for the past five years. The only piece still up in the air is when strict enforcement will begin.

The DoD has made clear that CMMC is imminent and defense contractors need to work towards meeting compliance. Here’s what Matt Travis (CEO of Cyber-AB) said at PreVeil’s Virtual CMMC Summit:

“There really are two sides of this coin: There is ‘you must implement the standards’ and there is a conformity regime being set up to validate that you’ve done that. You don’t need to wait on that second half to get going on that first half,” said Travis. He warned that it is “very risky and detrimental to your business” to delay implementation of the 110 NIST 800-171 requirements.”

The Latest CMMC Timeline

When will CMMC be in Contracts?

CMMC is expected to be codified by the end of 2024 and in contracts in Q1 2025. However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements, ahead of the rule.

“Compliance doesn’t equal security, but make no mistake, both the adversary and the regulations aren’t going anywhere. It is important to have a plan, it is important to act now,” Raytheon CISO Paul Escobedo said on a panel in early November 2023. Leidos CISO JR Williamson agreed, “compliance isn’t going away and it is going to be a requirement to be able to bid on and continue to operate on these types of contracts.”

Defense contractors who are not yet meeting all 110 NIST 800-171 controls should prioritize bringing their cybersecurity up to standard immediately.

Preparing for CMMC Level 2

Given that CMMC will be in contracts in Q1 2025, you need to get started on your compliance preparations as it takes 12-18 months for the average defense contractor to get assessment ready. Doing nothing is not an option. “If you do not get CMMC Certification, you will not be able to win DoD contracts. I cannot emphasize that enough,” said Travis.

The CMMC timeline below illustrates the path a contractor might follow to meet all 1100 NIST 800-171 controls by the time CMMC is finalized. There are a few important takeaways from this image that will help you in your compliance journey. (Read our blog on the CMMC Compliance Checklist to get the full listing that will help organize your company’s compliance efforts.)
 
First, while the timeline shows a typical timeframe needed for each task, the time and effort needed to achieve compliance will be different for every defense contractor. Variables include your baseline cybersecurity maturity level and the resources and prioritization you can assign to achieving compliance.

Second, protecting CUI is at the core of NIST and thus CMMC compliance. Moreover, it is not enough to simply protect your CUI, you also must provide adequate documentation to be able to prove that you’re compliant. CMMC assessments will be conducted by C3PAOs at levels 2 and 3. These C3PAOs will require your System Security Plan (SSP) to show how you are meeting each assessment objective as well as providing sufficient evidence and support to demonstrate that you are meeting the assessment objectives.

Make sure you are taking steps to address the POA&Ms and specifying the technologies and procedures you will need in order to close those gaps. C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for a small number of the lowest scoring practices. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.

Lastly, Once you’ve identified the unmet controls, you must take the outlined actions to meet those controls. POA&Ms are strictly time bound and will expire within 180 days after you have your C3PAO assessment. A POA&M must document all proposed actions to remediate deficiencies and the respective timeframe for doing so. The POA&M should detail the progress of corrective actions as they are carried out and thus be updated regularly. It is critical that organizations prioritize closing any security gaps.

Note that while your organization doesn’t have to achieve the highest possible assessment score by mid-2024, it should be on the cusp of doing so by then. According to the current letter of the law, NIST 800-171A, you are already responsible for meeting all of the security standards included in CMMC. If you are not yet fulfilling this obligation, the time to act is now.

Conclusion

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and keep CUI out of the hands of our country’s adversaries. By getting started on your organization’s compliance journey you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

PreVeil offers this CMMC 2.0 assessment timeline to help you figure out how best to achieve those goals. To learn more:

Read PreVeil’s briefs: