Are You A DoD Contractor With Questions About The Final Rulemaking Process And Implementation Of CMMC 2.0?
If you answered yes to that question, you’re not alone.
CMMC 2.0 has been a long time in the making. And while we’re not in the final stage of implementation yet, we’re getting closer by the day.
With timelines for certification stretching into Q1 2025, the time to prepare is now.
In this post, we’ll provide clarification for DoD contractors in these four critical areas:
- What should you expect to happen this year?
- What can we expect in early calendar year 2024?
- When should you expect CMMC language to start appearing in your contracts?
- When should you start your certification process?
So let’s get started with the basics.
What Should You Expect To Happen This Year?
The good news is the Office of Information and Regulatory Affairs (OIRA) has concluded its review of the CMMC 2 Program, as reported on their official website:
So with the mandatory regulatory review process by OIRA complete, we expect to see the CMMC 2.0 Rule published in the Federal Register sometime before the end of CY 2023.
Again, that’s great news, but there is still some ambiguity about exactly how the Rule will be published. It could show up as an “Interim Final Rule” or a “Proposed Rule.”
That designation is important and will have a major impact on when CMMC 2.0 could become effective.
More on that later.
What Can We Expect In Early Calendar Year 2024?
There are two paths we can expect for CMMC 2.0 in 2024. Those paths depend on how the Rule is published, i.e. as a Proposed Rule or an Interim Final Rule. We found a great explanation of the difference between the two at the Federal Register:
Interim Final Rule: When an agency finds that it has good cause to issue a final rule without first publishing a proposed rule, it often characterizes the rule as an “interim final rule,” or “interim rule.” This type of rule becomes effective immediately upon publication. In most cases, the agency stipulates that it will alter the rule if warranted by public comments. If the agency decides not to make changes to the interim rule, it generally will publish a brief final rule in the Federal Register confirming that decision.
If the Rule is published as an Interim Final Rule, CMMC will most likely go into effect in Q1 2024, since public comments do not have to be reviewed and addressed before publication of the Final Rule.
This time frame would provide for a 60 day public comment period after being published in the Federal Register by OIRA in December 2023 with no extensions.
If it’s published as a Proposed Rule, which many experts believe is the more likely scenario, there will be an approximately 12-month public comment review and analysis period before the final CMMC 2.0 Rule takes effect. That takes us into Q1 2025.
It’s also important to note that DoD will not be making any public comments or official announcements, webinars, etc., until after the final rulemaking process is finished and all public comment and review periods are complete.
We’re not going to speculate on which scenario is more likely. Instead, we’re going to provide you with actionable information on when and how to prepare for either scenario.
We’ve covered a lot of ground, so let’s wrap it all up.
When Should You Expect CMMC Language To Start Appearing In Your Contracts?
This one is a binary answer. It looks like either Q1 2024 or Q1 2025.
If the CMMC 2.0 Rule is published as an Interim Final Rule this December (2023), you’re looking at CMMC 2.0 compliance language and requirements potentially showing up in your contracts in Q1 2024. If it’s published as a Proposed Rule, you’re looking at Q1 2025.
What does that mean for you as a DoD contractor or subcontractor?
Since NIST 800-171 is the wellspring of the 110 CMMC Level 2.0 certification requirements, we’ll use that standard as your preparedness benchmark to determine your certification timelines.
When Should You Start Your Certification Process?
The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway.
Now let’s look at some timelines for Levels 1,2, and 3 certifications.
We’re estimating that it will take roughly 2-4 months for an average Level 1 assessment and implementation, where certification by a C3PAO is not required.
We expect that timeframe to be 10-20 months for a CMMC 2.0 Level 2 assessment, implementation, and certification process.
A CMMC 2.0 Level 2 assessment, implementation, and certification process looks like a 12 – 18 month minimum process.
These timelines place an immediate start time on your certification process, even given the best-case scenario of CMMC 2.0 getting published as a Proposed Rule.
As always, your CMMC 2.0 certification timeframe will depend on your organization’s state of cybersecurity readiness and technical capabilities.
If you haven’t started preparing for CMMC 2.0 yet, don’t panic, we’re here to help.
Actions You Need To Take (And When) To Prepare For The Official CMMC 2.0 Rollout
Let’s start designing your compliance action plan together. And today is the time to get the process started.
At SME, we have a team of experts with all the extensive experience, CMMC 2.0 knowledge, and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity.
CMMC 2.0 implementation and certification timelines are starting to stretch into Q1 2025. So let’s get prepared today.
Get in touch with our team at (703) 378-4110 to schedule Your Cybersecurity Assessment Today!
