Current Status of CMMC 2.0 - Possible Release Date
Update: The timeline for when CMMC will be officially published has been altered over the past year. In 2022, the original plan was to see CMMC wording included in contracts by May of 2023. However, as of July 24th, 2023, the proposed CMMC rule has been sent to the Office of Management and Budget where they will have 90 days to review and send it back for changes. If approved, the rule will enter into a public comment period. This means that CMMC may be finalized in Q1 of 2025. What is CMMC?
The cybersecurity maturity model certification (CMMC) is a proposed compliance standard developed by the DOD that seeks to create a standardized process of securing controlled unclassified information (CUI) across private organizations working within the Defense Industrial Base (DIB). Initially created with 5 levels of maturity, CMMC 2.0 consolidated these levels into 3: Foundational, advanced, and expert.
Updated Release Window for CMMC 2.0
As of July 24th, 2023 the proposed CMMC rule has been sent to the Office of Management an Budget where they will have 90 days to review and send it back for changes. This means that if approved, CMMC could be released in September of 2023. Once released, the proposed rule with have a public comment period where the DOD will collect and respond to any concerns or comments that pertain to CMMC and its implementation. While the may be officially released later this year, a final rule may not be in place until late 2024. However, this means that the DOD is taking CMMC seriously and that this rule is being treated as significant.
For organizations seeking to become compliant there are a few important things to note. First, it will take months for this new rule to be put into effect. Meaning that it may take time to see CMMC officially written into contracts. Second, CMMC is compliance is not a quick process. Becoming compliant may take months for certain organizations, which is why it is important not to procrastinate. Finally, NIST 800-171, the framework CMMC is grounded in, is also in the process of being changed. This means that we may also see changes to CMMC in the future, so be prepared.
If your organization wants to become CMMC compliant but isn't sure where to start, contact CorpInfoTech today!
Want more information about CMMC, check out CorpInfoTech’s blogs:
- What Is CMMC and Who Needs It
- What Does CMMC Mean to the Manufacturing Industry?
- The Basic of CMMC 2.0 for Dod Contractors
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.