The Cybersecurity Maturity Model Certification (CMMC) is a program the Department of Defense (DoD) is rolling out to make sure companies working with them have sufficient cybersecurity measures in place to protect sensitive information. Think about all the important data that defense contractors handle – plans, communications, project details. The DoD wants to make sure that this information is well-protected from cyber threats.

In 2019, the DoD started working on a framework to make sure contractors and subcontractors meet certain security standards. This framework builds on existing requirements from DFARS 252.204-7012 and adds a way to verify compliance through third–party certification. The proposed rule is basically the set of guidelines and requirements they’re putting in place to get everyone on the same page.

The development of CMMC has been a step-by-step process. For instance, CMMC 1.0 was introduced under an interim rule in 2020. In November 2021, the DoD announced CMMC 2.0, which is the foundation for the latest Proposed Final Rule, which was published on December 26, 2023.

The CMMC Proposed Final Rule introduces a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:

• Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
• Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171, like encryption and incident response plans.
• Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.

Why three levels? Not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.

Who will need to comply with the CMMC Proposed Final Rule?

If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.

For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.

When does the CMMC Proposed Final Rule go into effect?

The DoD published the final rule, 32 CFR rule, in the Federal Register on October 15, 2024 and it went into effect on December 16. This means that CMMC 2.0 program is now live and assessments are available.

However, the timeline for implementing CMMC 2.0 is still ongoing and subject to change. That's because there are two rules that fully implement CMMC 2.0. There is the 32 CFR rule and the 48 CFR rule, which implements CMMC policies in DoD contracts and describes the language that will be used in CMMC contracts. So while the program went live in December, it won’t actually be a requirement in DoD contracts until the 48 CFR rule is final.

The 48 CFR rule is expected to be final in Q2 2025. At that time, the CMMC phased rollout will begin.

The CMMC rules will be rolled out in stages, eventually making certification a requirement for winning federal contracts by 2028. Here’s the plan:

• Phase 1: Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. The DoD does have discretion to include Level 2 certification assessment requirements into contracts at this time. Starts on the effective date of the 48 CFR rule.
• Phase 2: Requires official CMMC Level 2 certification assessments. Begins one year after Phase 1 starts. 
• Phase 3: Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts. 
• Phase 4: Full implementation for all relevant contracts. Begins one year after Phase 3 starts. 

This does not mean that organizations can delay CMMC implementation until 2028. They must be fully ready for each of the deadlines represented by these phases — and that means the time to start getting ready is now (if they haven't already).

This is particularly urgent for organizations that need Level 1 and Level 2 compliance, since the the DoD plans to include CMMC requirements for Levels 1 and 2 in all new contracts as soon as 2025. This is also particularly urgent for subcontractors, whose prime contracts will likely begin pressuring them to implement CMMC 2.0 before any of these phased deadlines.

That said, there are some dependencies that must be met before these phases can begin rolling out. Namely, the 48 CFR rule still needs to go before Congress so that it can be finalized.

Previously, the rule was expected to go before Congress by mid-October 2024 so that it could be finalized before the end of December 2024. This needed to happen because the congressional disapproval period can’t cross from one Congress to the next. Because 2024 is an election year, a new Congress will be instituted in early January 2025, which could potentially delay the process. If the rule got to Congress before the end of October, the 48 CFR rule would have become final by the end of December or very early in January 2025. However, since the rule is going to Congress after October, CMMC will not become final until sometime in March 2025.