last changes: 11/27/2023
CMMC Timeline of Rollout
The CMMC Certification Process and Timeline underwent many changes and experienced delays over the last years but is on track for publication in October 2023.
The DoD had started rolling out the first contracts with CMMC 1.02 requirements in 2021. The small number of initial contracts that were part of this pilot project phase were expected to impact 1500 companies in the Defense Industrial Base (DIB) Supply Chain. The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
All this changed November 4th 2021 when the DoD announced the latest iteration CMMC 2.0 which includes significant changes to the CMMC program overall, including the CMMC compliance levels, assessment requirements, and CMMC implementation timeline. The DoD does not intend to approve inclusion of CMMC requirements in any contract prior to completion of the CMMC 2.0 rulemaking process which it estimates to take 9-24 months and which will formally implement CMMC 2.0. CMMC director Stacy Bostjanick provided an update in May 2022:
“May 2023 is the critical point. That’s when we think we will be able to start putting the requirement in contracts. … You are probably going to see RFIs, RFPs coming out in the summer of 2023.”
“Bostjanick said the Pentagon is encouraging companies to do “an early adoption of CMMC” through getting an assessment completed by an approved certified third party assessment organization before the rulemakings go into effect.”
For the full article see: https://insidecybersecurity.com/share/13502
The DoD stated that it is “exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification”.
The assessments on a voluntary basis for early adopters started end of August 2022. Technically, these early audits are joint assessments of a C3PAO with the DCMA (Defense Contract Management Agency) which oversees the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These joint assessments performed by DIBCAC and a C3PAO are “High Confidence Assessments” (DFARS 252.204-7012 and NIST SP 800-171) and the resulting score will be entered into SPRS. Once the CMMC rulemaking process is complete, the DoD intends to convert those assessments with a perfect score into CMMC Level 2 certifications.
Since the rule-making process is currently in its final stretch the DoD announced in fall 2022 that it will not comment further until the interim or final ruling. On November 21st 2023, the CMMC rule completed its final review step by the Office of Information and Regulatory Affairs (OIRA) and publication is expected for early December 2023.
When Will CMMC Requirements Show up in Contracts?
The expectation is that CMMC compliance requirements will start to show up in contracts either in Q1 2024 or Q1 2025. It depends on how the CMMC rule will be published. There are two scenarios:
Scenario 1: Publication of CMMC As “Proposed” Rule
If CMMC will be published as a Proposed Rule, a 60 day public comment period will be followed by a ~12 month long public comment review period. At the end of this process CMMC will be published as a final rule sometime in Q1 2025 and CMMC requirements will begin to show up in contracts. The graphic below illustrates the urgency to start CMMC Level 2 implementation work as it takes organizations an average of 12-18 months to become compliant with the requirements.
Scenario 2: Publication of CMMC As “Interim Final Rule”
Should CMMC ruled to be too important to accept any delays, it might get published as Interim Final Rule. While the same 60 day public comment period as in scenario 1 will apply, these comments will not have to be addressed before CMMC takes effect. CMMC requirements can show up in contracts immediately. Any organization that will be required to become CMMC Level 2 certified and that has not started the CMMC compliance process yet might not be eligible for contracts for more than a year in this situation. The CMMC implementation timeline for the average organization for Level 2 is shown in blue.
No matter which scenario will play out, we have seen CMMC specific language show up in some contracts. This is usually in the form of a paragraph stating that CMMC certification will be required once this program is rolled out.
The CMMC Certification Process – Who Is Involved?
The CMMC eco-system is always evolving and has a lot of moving parts. Based on the CMMC level your company will need to achieve, you will either have to prove CMMC compliance through a self-assessment or you will be assessed and certified by a 3rd party organization or DoD officials. For details see CMMC Compliance Levels and Requirements in CMMC 2.0.
Your organization’s CMMC implementation timeline will depend on your current NIST SP 800-171 compliance status and the level you will need to achieve. If you will be required to become CMMC certified (CMMC Levels 2 (partially) and 3), a few organizations are relevant. The main parties involved and their focus are summarized in the diagram bellow. The CMMC Accreditation Body (CMMC-AB) is authorized by the US Department of Defense to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community. This organization rebranded in June of 2022 and is now called The Cyber AB.
On the way to certification there are two main type of organizations that you will encounter. Both are trained and registered/certified by The Cyber AB:
- CMMC Registered Practitioner Organizations™ (CMMC-RPO) like Ecuron are focused on consulting and help with all the steps until the certification assessment. This includes an initial CMMC gap analysis, followed by remediation and implementation of missing controls, developing documentation etc. Prior to the certification audit by a C3PAO it is recommended to perform a CMMC Pre-Assessment.
- CMMC Third Party Assessor Organizations™ (C3PAO) are focused on the CMMC Assessment (aka Certification Audit). They will report their findings to The Cyber AB which will award you the certification if applicable. While C3PAOs are able to provide all services that CMMC-RPOs provide, they cannot provide those services to a company they will assess. This would be a clear conflict of interest.
The CMMC Certification Process – The Different Phases
Achieving CMMC compliance for your organization can be broken down into four phases:
CMMC Certification Timeline – An Example
Each organization, scope, implementation, and certification is different as it depends on a variety of parameters that determine timeline and cost. Among the main factors are:
- CMMC Level required.
- Existing infrastructure and cybersecurity posture of the DoD contractor
- Number of locations in scope
- Availability of the C3PAO to perform the Certification Assessment.
While timing is influenced by these factors, the following general example of the CMMC implementation timeline and the CMMC certification process will give you a good overall idea about the steps involved and some time estimates.
HOW WE CAN HELP
Due to our status as a CMMC Registered Practitioner Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC gap analysis, CMMC implementation support, and CMMC pre-assessments. We do not conduct the final Certification Assessments.
Depending on your current cybersecurity status as well as the CMMC Level you are required to achieve, implementation of the new standard will take several months. Starting now by implementing the requirements and cyber security best practices will save you valuable time and will get you ahead of the curve and competition.
We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance - CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required. - CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit. - CMMC Assessment Support
We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.