CMMC Compliance Deadline
Let’s jump in and learn:
What is the Timeline for CMMC?
CMMC 2.0’s timing is based upon two different CFRs (Codes of Federal Regulation), which can be recapped as follows:
- The US Department of Defense’s (DoD’s) 32 CFR Part 170 (Cybersecurity Maturity Model (CMMC) Program) is currently a Proposed Rule, with a Final Rule expected in November 2024.
- The DoD’s 48 CFR Parts 204, 212, 217 and 252 (Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is the contractual rule that will place the 252.204.7021 clause into DoD contracts - that rule is not anticipated to become a Final Rule until approximately May 2025.
- It is anticipated that by about June 2025, some DoD Contracts will contain the 252.204.7021 clause.
- With that timeline in mind, it is recommended that DoD contractors and subcontractors take immediate action to prevent gaps in being able to bid on and/or be awarded future DoD contracts.
- From June 2025 forward, there will be a 3-year roll-out of the CMMC requirements, resulting in all DoD contracts containing the 7021 clause. CMMC 2.0 requirements will be included for Levels 1, 2 and 3 in all solicitations and contracts when Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) require protection under the contract. It should be noted that CMMC 2.0 Level 3 requirements are still being finalized, as of August 2024.
Big-picture, release of both final rules that are outlined above will formally codify the CMMC 2.0 program for DoD contractors and subcontractors. Remember that the CMMC deadline is subject to change, and the DoD may make further adjustments over time.
Is CMMC Replacing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171?
The CMMC 2.0 program does not replace NIST SP 800-171. Rather, CMMC 2.0’s requirements are fully-aligned with NIST SP 800-171 Rev. 2.
What Companies Need CMMC Compliance?
CMMC compliance is mandatory for all contractors and subcontractors within the defense industrial base (DIB), which encompasses various businesses that engage either directly or indirectly with the U.S. Department of Defense (DoD). The fundamental aim of CMMC is to safeguard DoD contractors’ and subcontractors’ Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) against cyber threats.
Entities that will be mandated to adhere to the CMMC compliance deadline include those engaged in contracts with the DoD, whether as primary contractors or subcontractors at any level. This consists of a broad spectrum of enterprises, ranging from major defense contractors to smaller suppliers and service entities. The applicability of the CMMC compliance deadline is not limited to defense product manufacturers. It also covers entities offering services, such as IT support, logistics, research and development, engineering, consulting, and training, when their operations involve handling or accessing FCI or CUI.
To be ready for the CMMC deadline, organizations subject to compliance need to understand the three levels. Each level is based on required practices (sometimes referred to as “controls”), and in a tiered manner, each level builds on the previous level.
- CMMC Level 1
Allows suppliers to self-attest their compliance through annual self-assessments. At Level 1, organizations need to demonstrate basic cyber hygiene across 17 practices that represent the basic safeguarding requirements under FAR 52.204-21. Level 1 is primarily focused on DoD contractors and subcontractors that manage FCI. - CMMC Level 2
At Level 2, organizations must demonstrate that they have implemented the requirements of NIST SP 800-171 Rev. 2, which includes 110 practices that also encompass the Level 1 requirements. Level 2 is primarily focused on DoD contractors and subcontractors that manage CUI. - CMMC Level 3
Requires organizations to undergo a triannual government-led assessment. At Level 3, organizations will need to demonstrate compliance with a subset of NIST SP 800-172 requirements, which include 110+ practices that also encompass the Level 1 and Level 2 requirements. It should be noted that CMMC 2.0 Level 3 requirements are still being finalized as of August 2024.
How Does Your Organization Get CMMC Compliance?
Achieving compliance to meet the CMMC deadline is an essential undertaking for organizations involved in the DoD supply chain. The process of CMMC compliance involves a series of meticulous steps.
Understand CMMC requirements
The first step is to thoroughly understand the CMMC framework and identify the level of compliance that needs to be achieved in advance of the CMMC deadline. Which of the three CMMC levels is applicable to your organization will depend on the type of data that’s currently being handled, or will be handled in the future.
Conduct a self-assessment
When determining which level is applicable, organizations need to conduct a gap analysis to understand how their current cybersecurity practices match up against the CMMC requirements. This assessment should highlight areas that need improvement to meet the specific requirements for the CMMC compliance deadline. Often, this will involve reviewing documentation, processes, and IT infrastructure.
Develop a plan
Based on the gap analysis, organizations need to create a plan to address deficiencies that have been identified. This plan should detail what is needed to implement necessary cybersecurity practices and processes, including those related to people and technology. Part of the plan should be procedures for updating policies, enhancing security infrastructure, and training employees.
Implement updates to cybersecurity
Following the plan, updates to existing cybersecurity programs and processes need to be implemented. This usually includes upgrading systems, adjusting network configurations, and updating security controls to meet the CMMC practices at the level that’s applicable to the organization.
Document policies and procedures
CMMC places a significant emphasis on documentation. Organizations must have well-documented policies and procedures that align with CMMC requirements. This documentation should cover how the organization intends to protect FCI and CUI, and how it will sustain those security practices. Artifacts should also be maintained for all applicable security controls, as your company prepares for its CMMC assessment.
Undergo a pre-assessment
For organizations that require a third-party assessment, this is an optional internal assessment that is recommended before the official assessment. This step helps identify any oversights or areas that might need further improvement.
Choose a certified third-party assessor organization (C3PAO)
If a third-party assessment is required, a C3PAO needs to be selected to conduct an independent assessment. This assessment verifies that the organization meets the requirements for the company’s desired CMMC level. To select a C3PAO, verify their accreditation status on the CMMC Cyber AB Marketplace, and evaluate their experience, cost, and reputation.
Conduct an official assessment and achieve certification
Again, if a third-party assessment is required, after a successful assessment, the organization will receive its CMMC certification, which remains valid for three years.
Be Prepared as the CMMC Compliance Deadline Approaches
The steps required to meet the CMMC compliance deadline should be considered right away. While the actual deadline is still being finalized, most organizations take 12 to 18 months to achieve compliance on their own, even if they have the requisite skill-sets in place. There is also an ongoing effort for DoD contractors and subcontractors to continue to meet evolving defense-related requirements and maintain their approved status as DIB contractors and/or subcontractors. So, it’s best to take immediate action on CMMC 2.0.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 23rd August, 2024
