CMMC Rule Approved: Next Steps For Compliance

Now that the much-anticipated final rule establishing the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Program has cleared its last regulatory hurdle, you may have more questions than answers.

CMMC is a security program by the DoD meant to protect its sensitive unclassified information from cybersecurity threats. If you’re a defense contractor, this article will help answer these and other questions about CMMC implementation.

After reading this article, you will learn the CMMC requirements and the steps you need to take to make sure you can keep doing business with the DoD.

CMMC Program Rule Highlights

Source of chart: US Department Of Defense

• The DoD published the CMMC Final Rule on October 15, 2024 in the Federal Register, and it will go into effect in 60 days on December 16, 2024.
  
  
• CMMC will apply to all prime contractors and flow down to subcontractors at all tiers who are used to fulfill the DoD contract.
  
  
• Language for the new security standards will start showing up in DoD contracts in a phased rollout starting mid-2025.
  
  
• Requires compliance with all 110 NIST 800-171 certified third-party assessments for CMMC Level 2 and Level 3 businesses. Level 3 businesses will also have to meet an additional 24 security measures from NIST 800-172 and get assessed by the DoD.
  
  
• Requires companies to use the DoD’s online portal to affirm each year that they still meet CMMC requirements.
  
  
• Sets a minimum score of 80 percent for Level 2 and Level 3 requirements in order for companies to receive conditional approval.
  
  Organizations must create a plan of action and milestones (POAM) to spell out exactly how they plan to fix any flagged security gaps within 180 days or their conditional approval will expire. Only certain 1-point controls are allowed in a POAM.
  
  
• Requires companies to create a detailed System Security Plan (SSP) to describe their information systems that handle FCI or CUI—including cloud vendors and external service provider (ESP) solutions.
  
  Your SSP, which will form the scope of your assessment, must explain how your organization meets or plans to meet CMMC requirements and address known or anticipated cyber threats. If you don’t have an SSP, you can’t get assessed.
  
  
• Outlines the DoD assessment methodology and scoring system, along with the appeals process, consequences for noncompliance, and costs.

When Will I Need To Be CMMC Compliant?

CMMC will be rolled out incrementally in four phases over three years. The first phase is expected to go into effect in June 2025, with each subsequent phase going into effect one calendar year later, with full implementation expected by June 2028.

While the DoD hasn’t provided a specific deadline for meeting the new compliance standards, you should be aware that the DoD can include the CMMC requirements in contracts before the CMMC rollout is complete.

You should also know that some DoD contractors are requiring their subcontractors to show CMMC compliance now.

In a related move to the Final CMMC Rule, the DoD has also proposed a new Defense Federal Acquisition Regulation Supplement (DFARS) rule. The DFARS rule will allow the DoD to make the CMMC requirements a condition of getting awarded a contract.

The final DFARS rule is expected to take effect by mid-2025. The DFARS effective date is significant because it also triggers the start of the CMMC phased rollout.

Related Article: What Is DFARS And Why Is Compliance Important? How Is It Tied To NIST?

What Are My Next Steps?

If you think your business is fully compliant now, companies in CMMC Level 2 (C3PAO) and Level 3 can immediately ask for an assessment; these requests will get scheduling priority.

Since the DoD is implementing CMMC as a pre-award requirement, you have to meet the security compliance requirements in order to remain in the Defense Industrial Base (DIB). This means that if you want to keep your DoD contract or you want to bid on one, you need to meet the new security standards.

After reading this article, you understand what CMMC is and why it matters to your business if you are a DIB contractor handling sensitive DoD information.

Since it can take companies at Level 1 approximately 4-6 months to prepare for an assessment, and companies at Levels 2 and 3 as long as 18 months to prepare, you also recognize that you have no time to waste.

If you already have in-house cybersecurity staff who can ensure that you meet all of the CMMC controls, then you might not need outside help. However, if you don’t have sufficient staff or internal expertise, then hiring a managed IT services provider might make sense.

The expertise of an MSP can help you avoid time-consuming and costly mistakes as you work toward compliance.

Related Article: What is an IT Managed Services Provider (MSP)? (Should you use one?)

If you decide to explore options for external IT support, we encourage you to compare several providers so that you find one that is the right fit for your organization. We take this advice so seriously that we’ve even done some of the legwork for you.

See for yourself how Kelser stacks up against one of our competitors (Cooperative Systems), based on publicly available information from the websites of both organizations. We realize that offering such head-to-head comparisons is unusual, but we also want to be upfront that both organizations have strengths.

Whether you need to fast track your compliance efforts or have already started the process and need guidance, our staff has successfully helped organizations like yours navigate the steps to meeting NIST and CMMC regulatory compliance requirements over the years.

If you’re a business within the DIB and need help preparing for NIST 800-171 or CMMC, use the button to start a conversation with one of our IT experts to see how we can work together to solve your compliance challenges.