Understanding the CMMC Timeline

As the Cybersecurity Maturity Model Certification (CMMC) program approaches a pivotal stage, understanding the current status and anticipated rollout timeline is critical for defense contractors and suppliers within the Defense Industrial Base (DIB). The CMMC program, designed to enhance the protection of sensitive federal contract information (FCI) and controlled unclassified information (CUI), is entering a decisive phase with key regulatory milestones on the horizon.

Background of CMMC Program Development

The CMMC program was first introduced in January 2020 by the U.S. Department of Defense (DoD) to address growing cybersecurity threats and strengthen the security posture of the DIB. The initial framework included five levels of maturity, but after extensive industry feedback, the DoD streamlined the model into the current three-level structure under CMMC 2.0, announced in November 2021. The revised framework aimed to simplify requirements, reduce costs, and align more closely with existing NIST SP 800-171 controls.

Throughout 2022 and 2023, the DoD continued to refine the program through public comments and pilot programs, setting the stage for formal rulemaking under Title 32 and Title 48 of the Code of Federal Regulations (CFR).

32 CFR Rule Published – December 2024

A major milestone was reached in December 2024 when the DoD published 32 CFR 170 (the “32 CFR rule”), which formally establishes the foundational requirements and governance framework for CMMC program, including certification requirements and the responsibilities of defense contractors to safeguard sensitive information.

In short, the 32 CFR rule made the CMMC program official. This publication formalized the framework and provided critical clarity on the program’s structure, but the CMMC requirements will not become contractually enforceable until the complementary 48 CFR rule is finalized.

48 CFR Rule – Current Status and Expected Finalization

The 48 CFR rule (48 CFR 252.204-7021), which will incorporate CMMC certification requirements into the Defense Federal Acquisition Regulation Supplement (DFARS), is currently in the final stages of the rulemaking process. The DoD is expected to finalize and publish the 48 CFR rule in mid-to-late 2025, following a public comment period and review process.

While there was skepticism about the future of the CMMC program due to potential impacts to the 48 CFR rule by the Regulatory Freeze Pending Review Executive Order issued by the Trump administration in January 2025, the 60-day postponement period has passed with no indication that CMMC will be affected.

Once the 48 CFR rule is finalized, CMMC requirements will begin appearing in DoD contracts, making compliance a prerequisite for contract awards. This marks the transition from rulemaking to implementation, directly impacting the ability of defense contractors to secure future contracts.

CMMC Rollout Timeline Upon Finalization of the 48 CFR Rule

The DoD Chief Information Officer has outlined a phased rollout to implement CMMC over the next several years, starting 60 days after the 48 CFR rule is finalized. The phased approach is designed to provide contractors time to adjust to the new requirements and achieve certification without disrupting ongoing contract performance.

The proposed implementation timeline is structured as follows:

• Phase 1 (60 days after finalization of the 48 CFR Rule): Applicable solicitations will require Level 1 or Level 2 Self-Assessment.

• Phase 2 (12 months after the start of Phase 1): Applicable solicitations will require Level 1 or Level 2 Certification.

• Phase 3 (24 months after the start of Phase 1): Applicable solicitations will require Level 3 Certification.

• Phase 4 (36 months after the start of Phase 1): Program reaches full implementation. All solicitations require Level 1 Self-Assessment or Level 2/Level 3 Certification as condition of contract award.

Why Start Preparing Now?

Based on the proposed rollout timeline, the DoD anticipates full adoption of CMMC requirements across all applicable contracts by the end of 2027. While it may be tempting to hold off on preparing (e.g., due to the cost of implementation), there are a number of considerations which organizations should keep in mind when determining when to kick preparations into high gear.

• Time Required to Achieve Compliance: Full implementation of all the 110 Level 2 requirements (and 320 corresponding assessment objectives) can take 12 to 18 months, depending on where your organization is starting from. Adequate preparation doesn't happen overnight, so it's never too early to start planning. A preliminary gap assessment is a great way to determine your current compliance stature and start building a roadmap to certification!

• Flow-Down Requirement: The draft 48 CFR rule (as well as other existing DFARS clauses) includes a flow-down requirement meaning that once a prime contractor is required to be compliant (either through a self-assessment or full certification), the prime is responsible for ensuring any subcontractors they leverage for fulfilling CUI-related contracts meet the same requirement. If you're a prime contractor, start working with your subs now to make sure they're prepared. If you're a sub, reach out to your prime(s) to see where they stand and what their expectations are of you once CMMC starts showing up in contracts.

• False Claims Act Violations: We do our best to avoid FUD (fear, uncertainty, and doubt) when talking about security and compliance, but we can't ignore that there could be significant repercussions if an organization falsely represents itself as being compliant. Recent headlines about organizations being subject to substantial fines under the False Claims Act demonstrate that the Department of Justice is continuing to wield its power to enforce compliance as part of the Civil Cyber-Fraud Initiative. It's hard to understate the financial and reputational damage to organizations hit by an FCA violation. Don't let yours become one of them!

• Limited C3PAO Capacity: In addition to the time it takes to prepare for certification, a shortage of accredited assessor organizations has created another bottleneck which could delay an organization's journey to full compliance. Through our relationships with C3PAOs, customers, and others in the space, we've seen that many are booked out 6 months or more for performing CMMC assessments. Start planning now and get on an assessor's calendar before a certification requirement lands on your doorstep!

Preparing for CMMC Compliance

For defense contractors and suppliers, the time to prepare is now. With the 32 CFR rule published and the 48 CFR rule nearing completion, organizations should assess their current cybersecurity posture, identify gaps against NIST SP 800-171 requirements, and develop a strategy for achieving the appropriate CMMC level.

As a CyberAB Registered Practitioner Organization (RPO) led by the former IT security & compliance lead for one of the first 50 organizations to achieve certification, Triumvirate Cybersecurity is prepared to support your organization through every step of the CMMC journey – from initial assessment to achieving and maintaining certification. Contact us today to begin your CMMC readiness assessment and build a compliance strategy to position your business for future success!