It’s the Final (CMMC) Countdown!

Following the Department of Defense’s surprise announcement last Friday, the final CMMC rule will be adopted into the Federal Register today! What does this mean for your organization and how can your organization prepare? 

Last Friday, October 11th, the Department of Defense issued a press release indicating the final CMMC rule had been released and would be published in the Federal Register Tuesday October 15th — the same day the public comment period was set to end. Today is October 15th, meaning the rollout of CMMC has officially begun! 

So the CMMC Rule is Published… When Do I Need to be Certified? 

TL;DR – Be prepared for CMMC requirements to start showing up in contracts by the end of 2025. 

The short answer is: it depends. There are many factors which play into when an organization needs to achieve certification. With today’s adoption of the CMMC rule into the Federal Register, CMMC is now the law of the land for members of the Defense Industrial Base. That doesn’t mean you need to be certified TODAY, but you should start preparing ASAP to ensure your organization is ready to support defense contracts once certification is required. 

Per the DoD’s press release, “The DoD's follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025. Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.” 

So where does that leave us? Once CMMC is added into DFARS (early to mid-2025), contracting officers will be able to start requiring certification in DoD contracts and solicitations/RFPs. The contracts and solicitations will specify what level of certification is required and, while contractors can still bid on solicitations before completing certification, the selected contractor must achieve certification prior to contract award. 

What’s this about a Phased Rollout? 

The CMMC rule includes the DoD's intent to implement a 3-year phased rollout of the CMMC requirement beginning with Level 1 self-assessments, moving to Level 2 self-assessments, followed by Level 2 third-party (C3PAO) assessments, and finally Level 3 DIBCAC assessments.

During this time, DoD program mangers will have some discretion regarding which contracts include the CMMC requirement. However, by the end of the rollout period, a current CMMC certification or CMMC self-assessment will be required at the time of contract award, depending on the level required per the solicitation, for all information systems that process, store, or transmit FCI or CUI. 

The expectation is for the phased rollout to begin with the largest contractors and highest-sensitivity CUI contracts, meaning smaller organizations should have a bit more time to get compliant. However, contractors who have the DFARS rule included in their contracts first will be required to flow down those requirements to their subcontractors, so smaller organizations shouldn’t assume they won’t be required to have certification until the end of the rollout period. 

How Can I Prepare? 

The first thing organizations should do to prepare for CMMC is take stock of your current compliance stature. At minimum, get familiar with the CMMC Level 1 requirements, which all organizations handling FCI will need to abide by and create a foundation for achieving Level 2 certification. 

At Triumvirate Cybersecurity, we highly recommend reviewing the CMMC self-assessment and scoping guides to get an idea of the requirements and the DoD’s recommendations for determining assessment scope — which can greatly help or hinder an organization’s efforts to comply with the requirements. Begin preparing a system security plan (SSP) based on your current state and developing documentation around systems and processes — being able to hand auditors a stack of your policies and procedures makes the audit much easier on both of you! 

After performing an initial assessment, complete a gap analysis to determine where your organization has work to do. Develop project plans and prioritize them accordingly to implement the changes. Track completion of these projects and their impact on your CMMC readiness. Rinse and repeat until you’re confident you’ve met the requirements and consider working with a Registered Practitioner Organization (RPO) for a practice assessment to alleviate the pre-audit jitters. 

What’s Next? 

As a CyberAB Registered Practitioner Organization (RPO), Triumvirate Cybersecurity specializes in helping organizations establish an appropriate scope of certification based on their operating model, assess their current compliance stature through practice assessments and gap analysis, guide implementation through robust project management, create meaningful and aligned policy and procedure documentation, and maintain compliance in the long run. 

Learn more about our services on our website and reach out to schedule a consultation to get your organization on the road to CMMC compliance!