CMMC Timeline: Countdown to Compliance Deadline

October 15, 2024

The CMMC Final Rule (CFR 32) has been published in the Federal Register. The CMMC program will become effective on Dec 16, 2024 & enter contracts in mid-2025.

CMMC Background

Defense contractors handling controlled unclassified information (CUI) have been required to meet the 110 controls of NIST 800-171 since 2017. CMMC will validate compliance with NIST 800-171 through independent assessments conducted by C3PAOs (CMMC Third-Party Assessor Organization).

The DoD has made clear that CMMC is imminent and defense contractors need to work towards meeting compliance. Here’s what Matt Travis (CEO of Cyber-AB) warned at PreVeil’s Virtual CMMC Summit:

It is very risky and detrimental to your business to delay implementation of the 110 NIST 800-171 requirements.

The Latest CMMC Timeline

The CMMC Final Rule was published on October 15, 2024. It will become effective on Dec 16, 2024, and enter contracts in mid-2025.

CMMC Compliance Deadline: When will it be in contracts?

The DoD Deputy Chief Information Officer (CIO) for Cybersecurity, David McKeown, said in June 2024 that “the DOD should be officially rolling CMMC 2.0 out and including it in contract paperwork in the first quarter of calendar year 2025”.

However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements, ahead of the rule. Here’s what Leidos CISO JR Williamson said on a PreVeil panel,

Compliance isn’t going away. It is going to be a requirement to be able to bid on and continue to operate on these contracts.

Defense contractors who are not yet meeting all 110 NIST 800-171 controls should prioritize this immediately if they wish to continue bidding on defense contracts.

Preparing for CMMC Level 2

Given that CMMC will be in contracts in Q1 2025, you need to get started on your compliance preparations now, as it takes 12 months for the average defense contractor to get assessment ready. Doing nothing is not an option. Here’s what Matt Travis said:

If you do not get CMMC Certification, you will not be able to win DoD contracts. I cannot emphasize that enough

If you’re not sure where to start, read our CMMC Compliance Checklist blog. For convenience, here are a few ways to expedite your compliance journey:

1. Limit your Compliance Boundary with an Enclave: You may be able to establish a secure, isolated environment for CUI, which can simplify your documentation and save you money on licenses.

2. Use Pre-filled Documentation: Protecting CUI is at the core of NIST and CMMC compliance. However, you also must provide detailed documentation to prove that you’re compliant. CMMC assessments will be conducted by C3PAOs who will start by asking for this documentation. For example, your System Security Plan (SSP) needs to document how your organization meets the 110 controls of NIST 800-171.

3. Limit POA&MS: Plans of Actions & Milestones (POAMs) describe your plan to meet any controls that are currently unmet. Make sure you are taking steps to address any POAMs and specifying the technologies and procedures you will need to close those gaps. C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for the least critical controls. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.

4. Leverage Partners: If you get stuck, or don’t have the time or expertise to complete the steps required, you can take advantage of PreVeil’s preferred network of Assessors, Consultants, and Service Providers. They offer a variety of services to help accelerate your compliance journey, and you can have confidence that they were vetted and recommended by the PreVeil compliance team.

According to the current letter of the law, NIST 800-171A, you are already responsible for meeting all of the security standards included in CMMC. If you are not yet fulfilling this obligation, the time to act is now.

Next Steps

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and protect CUI from our country’s adversaries. By getting started on your organization’s compliance journey, you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

To learn more:

Book a Demo

Schedule a free 15-minute call with our compliance experts
Guide to Complying with CMMC
Case Study: Defense Contractor Achieves 110/110 Score in NIST 800-171 DoD Audit

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and CMMC Certified Professional (CCP) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

October 17, 2024

The CMMC Final Rule is Published: What Contractors Need to Know

CMMC

October 10, 2024

What is ITAR Compliance

ITAR

October 7, 2024

Countdown to Compliance: Demystifying the CMMC Timeline

By: Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP