DoD Proposed Timeline for CMMC
What is CMMC? The CMMC proposed rule will require any contractor working within the Defense Industrial Base (DIB) that handles controlled unclassified information (CUI) to undergo a third-party assessment to ensure certain security measures are taken to stop sensitive data from falling into the wrong hands. The CMMC model consists of three "maturity levels" that build upon the previous one with NIST SP 800-171 being its foundation.
The CMMC program is intended to be implemented in four phases:
The CMMC Final Rule becomes effective on December 16, 2024, at which point C3PAO assessments can begin. This rule empowers the DoD to incorporate CMMC into contracts once the 48 CFR Acquisition Rule is finalized, expected in early 2025. Contractors must be ready to demonstrate CMMC compliance starting from Q1 2025.
CMMC Timeline
While many may be tempted to think that CMMC is still several years away from full implementation, that doesn't mean organizations should wait to pursue compliance. As a reminder, the CMMC rule is the DoD's way of assessing compliance to the controls outline in NIST 800-171 framework contractors have been required to adhere to since 2017.
For those organizations that know their SPRS score they are ahead of the curve. For those who haven't begun their compliance journey, the time is now.
As a certified RPO with the Cyber AB, CorpInfoTech is fully capable of aiding SMBs in achieving CMMC compliance on time, on budget, and with tangible results. Contact us today to learn more!
CorpInfoTech is committed to become CMMC level 2 (C3PAO) compliant to better serve your organization. Our audit is aligned early in the programs roll out, making us likely among the first MSPs to achieve certification.