CMMC Compliance Deadline
Let’s jump in and learn:
What is the Timeline for CMMC?
As outlined in the CMMC 2.0 Proposed Rule in December 2023, the Cybersecurity Maturity Model Certification (CMMC) compliance deadline will span a 30-month+ phase-in period.. According to the U.S. Department of Defense (DoD) and further analysis by DoD contracting experts, the CMMC 2.0 Proposed Rule indicates that the DoD expects to formally include CMMC requirements for Levels 1, 2 and 3 in all solicitations issued on or after October 1, 2026. The overall timeline for the implementation of the CMMC program is as follows.
- December 26, 2023—The proposed CMMC 2.0 rule was published in the Federal Register.
- February 26, 2024—The public comment period for the proposed rule closed.
- By Autumn 2025—The final rule is expected to be published, and self-assessments are expected to be required for CMMC 2.0 Level 1 and Level 2, as a condition of DoD contract awards.
- October 1, 2026—From this date, the DOD intends to include CMMC requirements for Levels 1, 2 and 3 in all solicitations when FCI or CUI information requires protection under the contract. Also by this date, Level 2 Certification Assessments are expected to be required as a condition of contract awards for all applicable contracts that involve CUI.
The CMMC deadline is subject to change, and the DoD may make further adjustments based on public comments that are received about the proposed rule.
Is CMMC Replacing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171?
The CMMC 2.0 program does not replace NIST SP 800-171. Although CMMC and NIST SP 800-171 are both required for contractors working with the U.S. Department of Defense (DoD), they serve different, albeit complementary, roles in enhancing cybersecurity for organizations.
Rather than replacing NIST SP 800-171, CMMC 2.0 builds upon it, incorporating its guidelines as part of its foundational elements. The transition to CMMC 2.0 does not negate the relevance of NIST SP 800-171. Rather, it uses the NIST standards as a key component of its more comprehensive cybersecurity framework. For organizations, particularly DoD contractors, this means that adhering to NIST SP 800-171 is still vital, but they must also navigate the additional requirements and the certification process introduced by CMMC.
Following the CMMC compliance deadline, CMMC 2.0 and NIST SP 800-171 will continue to coexist with distinct roles in the cybersecurity landscape. NIST SP 800-171 will serve as a foundational standard for protecting CUI, and CMMC compliance will add a certification layer.
What Companies Need CMMC Compliance?
CMMC compliance is mandatory for all contractors and subcontractors within the defense industrial base (DIB), which encompasses various businesses that engage either directly or indirectly with the U.S. Department of Defense (DoD). The fundamental aim of CMMC is to safeguard DoD contractors’ and subcontractors’ Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) against cyber threats.
Entities that will be mandated to adhere to the CMMC compliance deadline include those engaged in contracts with the DoD, whether as primary contractors or subcontractors at any level. This consists of a broad spectrum of enterprises, ranging from major defense contractors to smaller suppliers and service entities. The applicability of the CMMC compliance deadline is not limited to defense product manufacturers. It also covers entities offering services, such as IT support, logistics, research and development, engineering, consulting, and training, when their operations involve handling or accessing FCI or CUI.
To be ready for the CMMC deadline, organizations subject to compliance need to understand the three levels. Each level is based on required practices and controls, and in a tiered manner, each level builds on the previous level.
- CMMC Level 1
Allows suppliers to self-attest their compliance through annual self-assessments. At Level 1, organizations need to demonstrate basic cyber hygiene across 17 practices that represent the basic safeguarding requirements under FAR 52.204-21. Level 1 is primarily focused on DoD contractors and subcontractors that manage FCI. - CMMC Level 2
At Level 2, organizations must demonstrate that they have implemented the requirements of NIST SP 800-171 Rev. 2, which includes 110 practices that also encompass the Level 1 requirements. Level 2 is primarily focused on DoD contractors and subcontractors that manage CUI. - CMMC Level 3
Requires organizations to undergo a triannual government-led assessment. At level 3, organizations will need to demonstrate compliance with a subset of NIST SP 800-172 requirements, which include 110+ practices that also encompass the Level 1 and Level 2 requirements. It should be noted that CMMC 2.0 Level 3 requirements are still being finalized as of June 2024.
How Does Your Organization Get CMMC Compliance?
Achieving compliance to meet the CMMC deadline is an essential undertaking for organizations involved in the DoD supply chain. The process of CMMC compliance involves a series of meticulous steps.
Understand CMMC requirements
The first step is to thoroughly understand the CMMC framework and identify the level of compliance that needs to be achieved in advance of the CMMC deadline. Which of the three CMMC levels is applicable to your organization will depend on the type of data that’s currently being handled, or will be handled in the future.
Conduct a self-assessment
When determining which level is applicable, organizations need to conduct a gap analysis to understand how their current cybersecurity practices match up against the CMMC requirements. This assessment should highlight areas that need improvement to meet the specific requirements for the CMMC compliance deadline. Often, this will involve reviewing documentation, processes, and IT infrastructure.
Develop a plan
Based on the gap analysis, organizations need to create a plan to address deficiencies that have been identified. This plan should detail what is needed to implement necessary cybersecurity practices and processes, including those related to people and technology. Part of the plan should be procedures for updating policies, enhancing security infrastructure, and training employees.
Implement updates to cybersecurity
Following the plan, updates to existing cybersecurity programs and processes need to be implemented. This usually includes upgrading systems, adjusting network configurations, and updating security controls to meet the CMMC practices at the level that’s applicable to the organization.
Document policies and procedures
CMMC places a significant emphasis on documentation. Organizations must have well-documented policies and procedures that align with CMMC requirements. This documentation should cover how the organization intends to protect FCI and CUI, and how it will sustain those security practices. Artifacts should also be maintained for all applicable security controls, as your company prepares for its CMMC assessment.
Undergo a pre-assessment
For organizations that require a third-party assessment, this is an optional internal assessment that is recommended before the official assessment. This step helps identify any oversights or areas that might need further improvement.
Choose a certified third-party assessor organization (C3PAO)
If a third-party assessment is required, a C3PAO needs to be selected to conduct an independent assessment. This assessment verifies that the organization meets the requirements for the company’s desired CMMC level. To select a C3PAO, verify their accreditation status on the CMMC Cyber AB Marketplace, and evaluate their experience, cost, and reputation.
Conduct an official assessment and achieve certification
Again, if a third-party assessment is required, after a successful assessment, the organization will receive its CMMC certification, which remains valid for three years.
Be Prepared as the CMMC Compliance Deadline Approaches
The steps required to meet the CMMC compliance deadline should be considered sooner rather than later. While the actual deadline is still being finalized, most organizations take 12 to 18 months to achieve compliance on their own, even if they have the requisite skill-sets in place. There is also an ongoing effort for DoD contractors and subcontractors to continue to meet evolving defense-related requirements and maintain their approved status as DIB contractors and/or subcontractors. So, it’s best to take immediate action on CMMC 2.0.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 26th June, 2024
