If your organization contracts with the Department of Defense (DoD), compliance is a crucial aspect of your contract and you currently must meet the Defense Federal Acquisition Regulation Supplement (DFARS) requirements, which include following the National Institute of Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). However, the DoD created the Cybersecurity Maturity Model Certification (CMMC) as a comprehensive framework to enhance cybersecurity across the defense supply chain. Over the past two years, the DoD’s targets for CMMC implementation have seen some fluctuations, leading to a mix of anticipation and uncertainty among contractors. Understanding these changes and how they affect you is crucial for staying compliant and competitive. Let’s delve into what’s been happening, what to expect in the coming years, and how you can effectively navigate these changes.
How Soon Will CMMC Implementation Be Required?
CMMC is an extensive new framework for DoD contractors. While it’s not yet a requirement in most existing contracts, it will be mandatory for all new contracts by 2026. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) oversees all CMMC-related matters.
Though the CMMC timeline has adjusted slightly since its introduction to DFARS in 2020, it’s essential for affected organizations to understand:
- The overall rollout and the volume of new CMMC-required contracts over the next five years.
- The specific requirements for Maturity Level 3, which apply to most DoD contractors.
- The timeline for official verification of CMMC implementation at any required level.
The Initial Expectations and Shifting Targets
In 2020, the National Defense report set an approximate goal of 7,500 organizations that were expected to achieve CMMC certification by 2021. This target reflected a push towards integrating cybersecurity standards across the defense contractor ecosystem. However, as the year progressed, the DoD’s focus narrowed. According to the OUSD(A&S) FAQ, the DoD set a more modest aim of certifying just 15 Prime Acquisitions by the end of 2021. This figure, while lower than initially anticipated, represented a crucial first step in rolling out CMMC requirements.
Each Prime Acquisition could involve numerous contracts, potentially extending the impact across Prime contractors and their subcontractors. The reduced target for 2021 indicated a phased approach to certification, allowing the DoD to refine processes and address any initial challenges before scaling up.
Targets and CMMC Implementation Timeline
Now, with a clearer path outlined, below is a list of the updated targets and implementation timeline for the coming fiscal years. The planned number of Prime Acquisitions for each fiscal year is:
- 75 Prime Acquisitions in Fiscal Year 2022
- 250 Prime Acquisitions in Fiscal Year 2023
- 325 Prime Acquisitions in Fiscal Year 2024
- 475 Prime Acquisitions in Fiscal Year 2025
These numbers reflect a gradual increase in the number of Prime Acquisitions subject to CMMC requirements. This phased approach manages the transition effectively and gives both contractors and the DoD ample time to adapt.
However, these figures don’t specify the Maturity Levels targeted or the estimated number of individual contracts. What’s clear is that all new contracts will require CMMC compliance by 2026. Furthermore, the CMMC framework includes several Maturity Levels, each with specific cybersecurity requirements, which adds a layer of complexity to the compliance process.
The Roadmap to 2026
By 2026, all new DoD contracts will require CMMC compliance as a mandatory component. This deadline marks a significant shift, ensuring that every contractor working with the DoD adheres to rigorous cybersecurity standards. To meet this requirement, contractors must prepare for a comprehensive certification process that aligns with the specific Maturity Level relevant to their contracts.
Key Dates in the CMMC Compliance Timeline
Moreover, the CMMC compliance deadline involves a five-year phase-in period with several important milestones:
- June 27, 2024: The DoD completed the adjudication process and submitted the “Final Rule” version of CMMC to the Office of Information and Regulatory Affairs (OIRA). OIRA now has up to ninety days to review, suggest modifications, and approve the Final Rule.
- October 27, 2024: Organizations can expect the Final Rule to be published in the Federal Register by October 26, 2024
- End of 2024/Early Spring 2025: Revisions to DFARS 252.204-7012 and the associated DFARS clauses 252.204-7019, -7020, -7021, and others—sometimes collectively referred to as changes to “48 CFR” or the “48 CFR Rules” will be completed. The DoD is actively updating the CMMC framework and expects to have all elements in place by the end of 2024 or early 2025.
- Mid 2025: CMMC is expected to begin appearing in contracts, marking the start of its mandatory inclusion in new agreements.
- October 1, 2026: The DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all DoD contractor applications, marking a significant milestone in the rollout.
These dates are crucial for contractors to track as they represent key points in the transition to full CMMC compliance.
CMMC Implementation Timeline for up to Maturity Level 3
For most small to medium-sized contractors working with the DoD or planning to do so soon, implementing CMMC up to Maturity Level 3 should be a priority. As early as next year, the DoD will require certain mid-sized contractors to document their CMMC implementation when bidding for contracts.
Achieving Level 3 should be relatively straightforward for organizations already compliant with NIST SP 800-171. Level 3 includes the 110 requirements from SP 800-171, which are framed as practices in the CMMC framework, plus 20 additional practices from other related frameworks.
Maturity Levels: The CMMC framework comprises several Maturity Levels, from Level 1 (Basic Cyber Hygiene) to Level 5 (Advanced/Progressive). Most DoD contractors will need to achieve Maturity Level 3, which involves a more comprehensive set of cybersecurity practices and processes. Each level has distinct requirements, so it’s essential to determine which level applies to your contracts to prepare effectively.
Verification Timeline: The timeline for official verification of CMMC implementation depends on the Maturity Level and specific contract requirements. Contractors should stay up-to-date with the latest DoD updates to ensure they meet all deadlines and verification processes.
Start and Achieve CMMC Implementation
While the specific CMMC implementation timeline or required deadline is a bit uncertain for most organizations, one thing is clear: all future contracts with the DoD will require CMMC implementation no later than 2026.
RSI Security offers advisory services and various resources to companies currently implementing CMMC controls or ready for CMMC assessments. Our blog collects up-to-date information on best practices and high-level CMMC implementation guides for all Maturity Levels. However, the complexities of actual CMMC implementation requires much more in-depth and hands-on advisory.
To get started on your CMMC implementation journey, contact us today!
Learn how RSI Security can help your organization. Request a Free Consultation