If your organization currently works as a contractor with the Department of Defense (DoD), compliance is likely a critical component of your contract. Current Defense Federal Acquisition Register Supplement (DFARS) requirements include adherence to the National Institute of Standards and Technology (NIST) Special Publication 800-171 (SP 800-171). However, your next contract will likely require CMMC implementation.
How Soon Will CMMC Implementation Be Required?
Cybersecurity Model Maturity Certification (CMMC) is a new, comprehensive framework for DoD contractors. It is not presently required in most existing contracts but will be a component of all new ones by 2026 at the latest. All CMMC matters are overseen by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
The CMMC timeline has slightly shifted since it was first added to DFARS in 2020, but the organizations to which compliance applies must familiarize themselves with:
- The general rollout and volume of new, CMMC-required contracts over the next five years
- The requirements specific to Maturity Level 3, for the majority of DoD contractors
- The timeline for official verification for required CMMC implementation, at any level
Timeline for CMMC Rollout and Expected Contracts
The DoD has been somewhat inconsistent in its targets for CMMC implementation over the past two years. Per a 2020 National Defense report, the Pentagon reportedly expected about 7,500 organizations to be certified by 2021. But, according to the OUSD(A&S) FAQ, the DoD planned to have completed just 15 Prime Acquisitions by the end of 2021. Each could correspond to a larger number of individual contracts, distributed across Prime contractors’ subcontractors.
The total number of Prime Acquisitions targeted in each upcoming rollout year, per the FAQ, is:
- 75 Prime Acquisitions in Fiscal Year 2022
- 250 Prime Acquisitions in Fiscal Year 2023
- 325 Prime Acquisitions in Fiscal Year 2024
- 475 Prime Acquisitions in Fiscal Year 2025
Adding to the confusion is that these figures do not specify which Maturity Levels are targeted for each threshold, nor how many individual contracts are estimated across all contracts. What is known, though, is that all new contracts will contain a CMMC requirement no later than 2026.
Timeline for Implementing CMMC up to Maturity Level 3
Most small to medium-sized contractors who currently work with the DoD—or hope to shortly—should implement CMMC up to Maturity Level 3 as soon as possible. As early as mid-2020, the DoD required some mid-sized contractors bidding for contracts to document CMMC implementation, per a 2020 DoD news brief. But that same report indicated that, at that time, there were only “one or two” organizations expected to reach Maturity Levels 4 or 5.
The DoD was also reportedly fielding contract requests from companies at Maturity Level 1. However, this is unlikely to continue moving forward, as Levels 1 and 2 serve as transitions en route to the complete “cyber hygiene” implementations required for achieving Level 3 certification. Therefore, this is the threshold most organizations should aim for in the near future.
Implementation at Level 3 should be relatively straightforward for organizations already compliant with NIST SP 800-171. It comprises the 110 Requirements from SP 800-171, framed as Practices in the CMMC framework, along with 20 Practices from other, related frameworks.
Timeline for Verifying CMMC Implementation at any Level
Most organizations that will ultimately need to implement CMMC have not yet passed an official, certified assessment. This is because, as the process is still rolling out, the official CMMC Accreditation Body (CMMC-AB) has not yet fully qualified many Certified Third Party Assessor Organizations (C3PAOs). C3PAOs will eventually be responsible for assessing and verifying CMMC implementation to organizations seeking certification at all Maturity Levels.
As of May 2021, only one C3PAO candidate had been certified at Maturity Level 3, per the CMMC-AB FAQ. The absence of available assessors is another reason the timeline for full implementation remains somewhat uncertain: the timeframe for certifying the assessors is uncertain.
RSI Security is currently in the process of becoming a fully accredited C3PAO. Our long-standing familiarity with NIST SP 800-171 compliance and the ongoing CMMC rollout positions us to provide expert advisory services for CMMC implementation.
Additionally, CMMC advisory and C3PAO certification cannot be conducted by the same entity. Therefore, if your organization is seeking CMMC support, we very much can aid your organization in securing a long-lasting, lucrative relationship as a preferred contractor or vendor with the DoD.
Achieve CMMC Implementation—Ahead of Schedule
While the specific CMMC implementation timeline or required deadline is a bit uncertain for most organizations, one thing is absolutely clear: all future contracts with the DoD will require CMMC implementation no later than 2026.
RSI Security offers consultative services and various resources to companies currently implementing CMMC controls or mapping over from NIST SP 800-171 and related frameworks. Our blog collects up-to-date information on best practices and high-level CMMC implementation guides for all Maturity Levels. However, the complexities of actual CMMC implementation require much more in-depth and hands-on advisory.
To get started strategizing for, implementing, and ultimately verifying CMMC implementation, contact us today!