One Step Closer: CMMC Rule Proposed in U.S. Federal Register

It’s been 4 long years since CMMC was initially announced, but it’s finally here. The Cybersecurity Maturity Model Certification is nearly a bona fide part of the U.S. Code of Federal Regulations. The proposed rule has been submitted to the Federal Register under DFARS Case 2019-D041. Following this milestone, the CMMC program will soon enter the next stage to being a requirement for organizations in the DIB.

What Does It Mean that the CMMC Rule is Proposed?

With the final draft of the proposed rule submitted, we have begun a 60-day public comment period ending October 15, 2024. This time allows for members of the DIB to provide feedback on the proposed legislation. However, it has been several years in the making, and little (if anything) is expected to change between now and the rule being finalized. Barring any drastic deviations, the CMMC rule will be finalized in 48 CFR by the end of 2024, which will provide organizations with about 6 months before the start of the DoD’s “phased rollout” period.

Phased Rollout?

The DoD has indicated it intends to implement a 3-year phased rollout of the CMMC requirement. During this time, DoD program mangers will have some discretion regarding which contracts include the CMMC requirement. However, by the end of the rollout period, the a current CMMC certification or CMMC self-assessment will be required at the time of contract award, depending on the level required per the solicitation, for all information systems that process, store, or transmit FCI or CUI.

What Should I Do?

The phased rollout is not a reason to postpone your organization’s efforts to achieve CMMC compliance, as there is no guarantee whether contracts your organization will bid on will/won’t include the CMMC requirement. Not only that, but if you’re currently working under a contract containing the DFARS 7012 clause (48 CFR $252.204-7012) , you’ve already committed to meeting at least some of the NIST SP 800-171 requirements regardless of the CMMC rule!

If a solicitation does require CMMC once the rule is in place, you will likely have less than 60 days from submitting your proposal to achieve compliance if you aren’t there already. To be truly prepared, it could take significantly longer. Our experience has shown that preparation can take 12-18 months for Level 2. Don’t risk missing out on contracts your organization would have won because of a lack of compliance!

If you haven’t already, assess your current compliance stature. Consider connecting with an RPO to perform a practice assessment and see how your organization stacks up. A good partner will give you an honest appraisal of your current state and work with you to ensure you have a plan for the next steps—whether that’s moving straight on to a C3PAO audit, closing out your POAMs, or developing a plan to get from where you are to where you need to be.

How We Can Help

Triumvirate Cybersecurity provides gap analysis, project management, and policy & procedure development services to help our customers prepare for and achieve certification. Contact us today to schedule a discussion about your organization’s path to CMMC compliance!