Penetration Testing
Press Release
It’s taken over five years, but the Cybersecurity Maturity Model Certification (CMMC) program is finally here. The US Department of Defense (DoD) published the CMMC final rule on October 15, 2024. The new regulation (officially named CFR 32) goes into effect on December 16, 2024. Third-party compliance assessments with Certified Third Party Assessment organizations (C3PAOs) officially begin on that date.
For companies that are ready now, achieving CMMC certification as soon as possible can help improve competitiveness in defense contract bids. But what about those that are still not prepared for a CMMC compliance assessment?
This article overviews the key points of the CMMC final rule as they relate to compliance timing. Read on to understand when your business needs to be ready for a CMMC Level 2 compliance assessment.
When will CMMC requirements start appearing in DoD contracts?
The CMMC final rule defines a four-year phased rollout for the CMMC program beginning on December 16, 2024.
But before CMMC language can appear in DoD contracts, another regulation first needs to become law—the Code of Federal Regulations Title 48 (CFR 48). This is the rule required to execute CMMC within the Defense Federal Acquisition Regulation Supplement (DFARS).
Having been issued as a Proposed Rule and concluded its public comment period, CFR 48 now needs to go through comment resolution and Office of Information and Regulatory Affairs (OIRA) review before it becomes final. The DoD estimates that CFR 48—and CMMC along with it—will begin appearing in contracts by early to mid 2025.
At that point, select contracts will begin requiring CMMC compliance per phase one of the CMMC rollout, which extends through 2026.
According to Sanjeev Verma, Chairman and co-founder at PreVeil, CMMC’s protracted rollout may have been a blessing in disguise. “The time it took has actually been beneficial for the purveyors of solutions to understand things, to refine things, and to get large numbers of companies that don’t understand what they’re getting into at all to be familiar with it,” says Sanjeev. “If CMMC had just come out and been the law, we would have seen massive failures, because the adopters and the providers were not quite ready for this pretty sophisticated standard.”
So, while the long delay caused frustration and confusion, it may have helped the US defense industrial base (DIB) prepare for the challenging CMMC journey. All that said, the time for DIB orgs to be ready to demonstrate CMMC compliance is now.
Why are prime contractors already requiring “CMMC ready” subcontractors?
While a four-year, four-phase rollout process may seem to give defense suppliers plenty of time to prepare for CMMC, prime contractors are already beginning to require subcontractors to self-attest to compliance with CMMC Level 2 or to undergo a C3PAO or DIBCAC compliance assessment.
Why would primes require CMMC Level 2 compliance ahead of the DoD? Because they want to be ready to bid on contracts that may or may not require CMMC compliance. They will preferentially work with “CMMC ready” suppliers to present the strongest possible team to the DoD as regards cybersecurity. They can’t take a chance on losing a contract because their subcontractors cannot demonstrate adequate cybersecurity.
This is why, even though CMMC is rolling out over four years, DIB orgs that want to remain competitive need to get ready now to demonstrate CMMC Level 2 compliance.
Keep in mind that the DoD’s cybersecurity control requirements for subcontractors have not changed significantly since December 2017. This is when the Defense Federal Acquisition Regulation Supplement 252.204-7012 (DFARS 7012) clause began appearing in many DoD contracts. DFARS 7012 requires subcontractors to self-attest to compliance with the 110 controls in NIST 800-171—the same 110 controls that the CMMC final rule mandates.
Sanjeev explains: “If you’re a prime putting a bid together, two things drive your thinking. Number one, you don’t know what contracts could ask for CMMC, and you have to be prepared to bid on any contract. Second, primes don’t know which suppliers are going to be required for which contracts. So, as a supplier you must be prepared right now—unless you’re prescient or you’ve decided to sit it out.”
Moreover, as the CMMC rollout goes on, the DoD might require CMMC compliance on contract refresh/renewal where it was not required initially. This makes primes even more leery of partnering with suppliers whose cybersecurity is weak or unvalidated, only to have them removed from the program down the road because they still haven’t achieved CMMC.
Key takeaways from the CMMC final rule
Now that CMMC and its rollout process are finalized, here are the key takeaways for DIB SMBs:
- Start your CMMC compliance preparations now if you haven’t already, because it can now be said with certainty that CMMC is not going away. It will take most DIB SMBs 9 to 24 months to achieve compliance, depending on their current cybersecurity posture and access to key resources like money and skills.
- Don’t be intimidated by CMMC. The long runup to the CMMC final rule has given vendors, consultants, and other service providers time to understand what DIB SMBs need and how to help simplify and manage the compliance process.
- Don’t view CMMC as a “check the box” compliance exercise. Compliance does not equal security, and the shortest route to compliance could leave you vulnerable. CMMC investments are the perfect chance for DIB orgs to do things right so your business and its sensitive data are verifiably protected.
- Especially in today’s threat environment, a CMMC compliant cybersecurity posture is a fundamental baseline that every organization needs for operational continuity and business survival. Otherwise, you are vulnerable to ransomware and a wide range of other prevalent attacks that could immediately or eventually shut you down.
What’s next?
For more guidance on this topic, listen to Episode 145 of The Virtual CISO Podcast with guest Sanjeev Verma, Chairman and co-founder at PreVeil.
