CMMC IS COMING!! ARE YOU READY?
If You're Not Preparing for It Yet, You're Way Behind
When will CMMC 2.0 impact your business? Now that the public comment period is over, the current stage will take 6 to 12 months; however, CMMC 2.0 could possibly be finalized and codified into DFARS 252.204-7021 before the end of 2024.
The DoD will use a phased implementation as part of the CMMC Proposed Rule. It comprises four phases over two and a half years. This timeline will determine when your business will be impacted and when mandates for certification will begin. This is an estimated timeline based on current information; these are not firm dates.
What will CMMC implementation look like?
Phase 1: CMMC Level 1 & 2 Self-Assessments and Some CMMC Level 2 Certification Requirements
-
Duration: 6 Months
-
Detail: Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments will become a condition for contract award. Contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level applies to the contract) to be eligible for contract award. The DoD may also include third-party CMMC Level 2 certification requirements in certain contracts at its discretion.
Phase 2: Additional CMMC Level 2 & Some Level 3 Certification Requirements
-
Duration: 1 Year
-
Detail: Phase 2 begins six months after Phase 1 starts. During Phase 2, the DoD will add CMMC Level 2 certification requirements for eligibility for all applicable contract awards. Contractors must pass a third-party Level 2 CMMC assessment to qualify for contracts with Level 2 CMMC requirements. At its discretion, the DoD may also begin to release some contracts with Level 3 certification requirements during this phase.
Phase 3: CMMC Level 2 Certifications Required for Contract Options on Contracts Finalized Before CMMC Final Rule and Level 3 Certification Requirements
-
Duration: 1 Year
-
Detail: Phase 3 begins one year after Phase 2 starts. During Phase 3, the DoD will extend the CMMC Level 2 certification requirement to applicable contracts awarded before implementing the CMMC rule. The DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment (assuming the CMMC Level 2 requirements apply to the contract). Additionally, the DoD will begin to include CMMC Level 3 certification assessment requirements in all applicable contract awards.
Phase 4: Full Implementation
-
Duration: Ongoing
-
Detail: Phase 4 begins one year after Phase 3 starts and will mark the full implementation of the CMMC program. During Phase 4, the DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts, including options for existing contracts.
​
​
​
​
​
​
-
Q4 2024 / Q1 2025 - CMMC Final Rule Publication, CMMC Implementation Begins.
-
Q4 2024 / Q1 2025 - CMMC language begins to appear in contracts, requiring Level 1 and Level 2 Self-Assessments.
-
Q4 2024 / Q1 2025 - Some contracts may include third-party CMMC Level 2 certification requirements at the discretion of the DoD.
-
Q2 2025 / Q3 2025 - CMMC Level 2 certification requirements included in all applicable contract awards.
-
Q2 2025 / Q3 2025 - Some CMMC Level 2 certification requirements begin at the discretion of the DoD.
-
Q2 2026 / Q3 2026 - CMMC Certifications are Required in new contracts and for exercising contract options for contracts finalized before the CMMC Final Rule.
-
Q2 2026 / Q3 2026 - CMMC Level 3 certification requirements included in all applicable contract awards.
-
Q2 2027 / Q3 2027 - CMMC Full Implementation - CMMC requirements appear in ALL DoD solicitations and contract options.
Another consideration::
-
The estimated wait time to schedule a CMMC Assessment with a Certified Third-Party Assessment Organization (“C3PAO”) is at least 6 months.
What should you be doing now?
-
First of all, if you haven’t started already, start implementing NIST 800-171 Rev. 2’s 110 controls – either across your organization or on the specific systems, services, locations, and staff designated for handling data used to fulfill CMMC contracts (if you’ve already determined or defined which people, processes, and technology will comprise your CMMC scope).
To help your business navigate these previously uncharted waters, Bluestreak Compliance™
has CMMC Registered Practitioners and Registered Practitioner "Advanced" on staff, ensuring
expertise and proficiency in CMMC compliance and cybersecurity practices. And with discounted
rates for SMBs.
​
​
​
​
​
​
​
​​​
​
​