After years of anticipation and delays, the Department of Defense (DoD) has finally published a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0. This long-awaited proposed rule outlines the DoD’s plan to implement CMMC requirements over the next few years. Now, the final rule isn’t here yet—comments on the proposed rule are due on February 24, 2024, and the final rule is anticipated in the fall of 2024. However, we finally have some tangible guidance to consume, 234 pages to be exact.
So, let’s break down this proposed CMMC rule, touch on the highlights, and discuss the tentative timeline.
Pausing for a moment, let’s back track and briefly discuss what the Cybersecurity Maturity Model Certification is and the reasoning behind it. Back in 2019, the DoD released CMMC 1.0, which included a framework to assess government contractors’ cybersecurity maturity while encouraging them to move away from self-attesting their cybersecurity status.
The idea for CMMC is to create a more organized and consistent way for contractors in the Defense Industrial Base (DIB) to meet National Institute of Standards and Technology (NIST) guidelines for protecting Controlled Unclassified Information (CUI). The DoD already has provisions in its contracts requiring contractors to protect CUI, but the agency does not typically check whether these requirements are actually being followed.
After CMMC 2.0 was announced in late 2021, contractors and agencies alike have been eagerly awaiting more guidance on how to proceed, what it would look like in future solicitations, and how it would be played out over the next few years.
In December 2023, the proposed rule for CMMC 2.0 was finally released, giving industry a more concrete answer to their questions. So, let’s dive in.
The DoD has created a four phased plan to be rolled out over the next 3 years once the final rule is officially put in place.
The first phase will begin once the CMMC final rule is published and there is a change to the Defense Federal Acquisition Regulation Supplement (DFARS). Phase one will be centered on introducing CMMC’s self-assessment requirements across all new solicitations and other contract options. These self-assessment requirements are for contracts with Federal Contract Information (FCI) and CUI that is considered less sensitive. The elimination of third-party assessors in this phase was an effort to make it more accessible for smaller businesses and contractors who are not dealing with highly sensitive contracts.
Phase two is anticipated to begin six months after phase one. Under phase two, the DoD will implement the certification assessment requirements under “level two” of CMMC. These requirements will require contractors in the DIB to obtain a certification from a third-party assessment organization. The DoD expects it will take around two years for companies with existing contracts to be CMMC certified in phase two.
In this penultimate phase, the DoD will introduce “level three” requirements. This level will apply to contracts involving the most sensitive CUI. These assessments are carried out by the DoD and are not considered self-assessment or third-party groups. Phase three is expected to begin one year after phase two.
Phase 4 is the complete implementation of all CMMC requirements. Following the same cadence, phase four will begin one calendar year after the start of phase three.
One significant change we see in this proposed rule is affirmation requirements. These requirements state a senior official from the prime contractor and any applicable subcontractors must affirm to complying with cybersecurity regulations. These affirmations would be entered electronically through the Supplier Performance Risk System (SPRS). This puts the responsibility on leadership to ensure all requirements are being met, something that has not existed formally before.
The next notable addition we see in the proposed CMMC rule is the use of Plans of Actions and Milestones (POA&Ms). When contractors cannot fully meet every requirement in level 2, they can have “conditional” self-assessments and certifications, but they must close these plans out within 180 days. This new rule gives contractors more time to put controls in place, but they must be actively working toward certification.
Following the four phases above, the DoD anticipates CMMC will appear in solicitations for contracts with CUI by October 2026. It could happen as early as 2025, but if history indicates anything, it could also be much later than the anticipated timeline.
The hope for this proposed timeline is it will give the Cyber Accreditation Body enough time to establish CMMC Third-Party Assessment Organizations (C3PAOs), and to allow contractors enough time to understand and implement the requirements.
If there happens to be a capacity issue with C3PAOs, then the DoD will consider an extension of the implementation period, but it’s not the current plan.
We’ve said it before—it’s important to start preparing early, getting your company organized to complete these requirements takes time and money. Now that we have more concrete guidance, it’s really time to start planning if you haven’t already.
We suggest a member of your team reads the proposed rule in full so your business fully understands all the rules applicable to you. Remember, while you may not be dealing with many (or any) contracts now that handle CUI or are within the Defense Industrial Base (DIB), this could change in the future, and other agencies may adopt these requirements.
To learn more about prepping for the final rule and what to look out for in the proposed rule content, check out our blog, “Preparing for the Final CMMC Rule.”
To stay up to date on future changes to the CMMC rule or other government requirements, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help getting your GSA Schedule in order for future solicitations, we can help guide you in the right direction.