CMMC Compliance Deadline
What is the Timeline for CMMC?
CMMC 2.0’s timing is based upon two different CFRs (Codes of Federal Regulation), which can be recapped as follows:
- The US Department of Defense’s (DoD’s) 32 CFR Part 170 (Cybersecurity Maturity Model (CMMC) Program) became a a Final Rule in October 2024.
- The DoD’s 48 CFR Parts 204, 212, 217 and 252 (Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is the contractual rule that will officially place the 252.204.7021 clause into DoD contracts - that rule is anticipated to become a Final Rule in approximately March 2025.
- It is anticipated that by March 2025, some DoD Contracts will contain the 252.204.7021 clause.
- With that timeline in mind, it is recommended that DoD contractors and subcontractors take immediate action to prevent gaps in being able to bid on and/or be awarded future DoD contracts.
- CMMC level requirements will be added to DoD solicitations and contracts over time, in a four-stage process that will also begin as early as March 2025.
- CMMC 2.0 requirements will be included for Levels 1, 2 and 3 in all solicitations and contracts when Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) require protection under the contract.
- It should be noted that prime contractors may require their supply chains to become compliant even before the official CMMC date. And, certain DoD contracts may include an early CMMC clause, provided there’s a bilateral contract modification after business negotiations have been completed. The modification must be agreed upon by the DoD and its contractor.
Big-picture, release of both final rules that are outlined above will formally codify the CMMC 2.0 program for DoD contractors and subcontractors. Remember that the CMMC deadline is subject to change, and the DoD could make further adjustments over time. You should always reach out to the DoD directly, if you have questions about your current or future contracts with the agency.
Is CMMC Replacing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171?
The CMMC 2.0 program does not replace NIST SP 800-171. Rather, CMMC 2.0’s requirements are fully-aligned with NIST SP 800-171 Rev. 2.
What Companies Need CMMC Compliance?
The first step is to determine whether CMMC applies to your organization. CMMC requirements apply to your organization if you’re a DoD contractor (and/or subcontractor) who manages (processes, stores, or transmits) Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
Entities that will be mandated to adhere to the CMMC compliance deadline include those engaged in contracts with the DoD, whether as primary contractors or subcontractors at any level. This consists of a broad spectrum of enterprises, ranging from major defense contractors to smaller suppliers and service entities. The applicability of the CMMC compliance deadline is not limited to defense product manufacturers. It also covers entities offering services, such as IT support, logistics, research and development, engineering, consulting, and training, when their operations involve handling or accessing FCI or CUI.
To be ready for the CMMC deadline, organizations subject to compliance need to understand the requirements for all three levels that are outlined below:
CMMC Level 1
Level 1 applies to DoD contractors and subcontractors who manage FCI only. When CMMC goes into full effect, Level 1 organizations will be required to perform annual self-assessments and have their results submitted into the Supplier Performance Risk System (SPRS).
CMMC Level 2
Level 2 applies to DoD contractors and subcontractors who manage CUI. A small proportion of Level 2 organizations (approximately 5%) will be required to perform annual self-assessments and submit their results into SPRS, as outlined in the Level 1 description above.
The remaining 95% will be subject to formal triennial assessments by a Certified Third-Party Assessor Organization (C3PAO). Their results will be submitted into the Enterprise Mission Assurance Support Service (eMASS).
CMMC Level 3
Level 3 applies mainly to the largest DoD contractors, who manage the DoD’s most sensitive contracts. In addition to being subject to CMMC Level 2 final assessments, Level 3 organizations are subject to 24 NIST SP 800-172 requirements that are assessed by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). Similar to Level 2, Level 3 companies’ results need to be submitted into eMASS.
In all cases, CMMC certification will ultimately be required as a condition of the DoD’s awarded contracts.
How Does Your Organization Get CMMC Compliance?
Achieving compliance to meet the CMMC deadline is an essential undertaking for organizations involved in the DoD supply chain. The process of CMMC compliance involves a series of meticulous steps.
Understand CMMC requirements
The first step is to thoroughly understand the CMMC framework and identify the level of compliance that needs to be achieved in advance of the CMMC deadline. Which of the three CMMC levels is applicable to your organization will depend on the type of data that’s currently being handled or will be handled in the future.
Conduct a self-assessment
When determining which level is applicable, organizations need to conduct a gap analysis to understand how their current cybersecurity practices match up against the CMMC requirements. This assessment should highlight areas that need improvement to meet the specific requirements for the CMMC compliance deadline. Often, this will involve reviewing documentation, processes, and IT infrastructure.
Develop a plan
Based on the gap analysis, organizations need to create a plan to address deficiencies that have been identified. This plan should detail what is needed to implement necessary cybersecurity practices and processes, including those related to people and technology. Part of the plan should be procedures for updating policies, enhancing security infrastructure, and training employees.
Implement cybersecurity updates
Following the plan, updates to existing cybersecurity programs and processes need to be implemented. This usually includes upgrading systems, adjusting network configurations, and updating security controls to meet the CMMC practices at the level that’s applicable to the organization.
Document policies and procedures
CMMC places a significant emphasis on documentation. Organizations must have well-documented policies and procedures that align with CMMC requirements. This documentation should cover how the organization intends to protect FCI and CUI, and how it will sustain those security practices. Artifacts should also be maintained for all applicable security controls, as your company prepares for its CMMC assessment.
Undergo a pre-assessment
For organizations that require a third-party assessment, this is an optional internal assessment that is recommended before the official assessment. This step helps identify any oversights or areas that might need further improvement.
Choose a certified third-party assessor organization (C3PAO)
If a third-party assessment is required, a C3PAO needs to be selected to conduct an independent assessment. This assessment verifies that the organization meets the requirements for the company’s desired CMMC level. To select a C3PAO, verify their accreditation status on the CMMC Cyber AB Marketplace, and evaluate their experience, cost, and reputation.
Conduct an official assessment and achieve certification
Again, if a third-party assessment is required, after a successful assessment, the organization will receive its CMMC certification, which remains valid for three years from the date of its certification.
Be Prepared as the CMMC Compliance Deadline Approaches
The steps required to meet the CMMC compliance deadline should be considered right away. While the deadline is still being finalized, most organizations take 12 to 18 months to achieve compliance on their own, even if they have the requisite skill-sets in place. CMMC 2.0 is part of a larger effort that enables DoD contractors and subcontractors to meet evolving defense-related requirements and maintain their approved status as DIB contractors and/or subcontractors. So, it’s best to take immediate action on CMMC 2.0.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 30th October, 2024