People often make New Year’s resolutions to reflect on the past year and set goals for personal growth, improvement, or change in the year ahead. One of the funniest I’ve heard is, “My New Year’s resolution is to stop procrastinating… starting tomorrow.” If you’ve been procrastinating on learning about CMMC, now is the time to stop delaying—especially since the final Cybersecurity Maturity Model Certification (CMMC) program rule officially became law on December 16, 2024. Let’s explore what this means for you and your organization!
CMMC Final Rule: What You Need to Know About CMMC 2.0 in 2025
The CMMC has been a critical framework in enhancing the cybersecurity posture of organizations within the Defense Industrial Base (DIB). Over the years, the Department of Defense (DoD) has worked to refine this program, culminating in the release of the CMMC 2.0 final rule in 2024. In this blog, we’ll dive into the details of the CMMC final rule, its implications, and what it means for contractors working with the DoD.
What is the CMMC Final Rule? A Closer Look
The CMMC Final Rule is the official regulation governing the implementation of the Cybersecurity Maturity Model Certification program. It establishes the compliance requirements that defense contractors must meet to secure DoD contracts. This rule sets the foundation for protecting sensitive federal information, including Controlled Unclassified Information (CUI), and ensuring that the supply chain is safeguarded from cyber threats.
The final rule solidifies the changes introduced in CMMC 2.0, streamlining the program from its original five levels to three, and aligning it more closely with existing federal cybersecurity standards, particularly NIST SP 800-171 and NIST SP 800-172.
CMMC 2.0 Final Rule: Key Highlights
The CMMC 2.0 final rule, released in 2024, introduces several updates that simplify compliance while maintaining robust security requirements. Here are the key highlights.
- Three Maturity Levels
-
- Level 1 (Foundational): Basic safeguarding requirements for Federal Contract Information (FCI), with 17 cybersecurity practices.
- Level 2 (Advanced): Alignment with NIST SP 800-171, requiring 110 security practices to protect CUI.
- Level 3 (Expert): Incorporates additional requirements from NIST SP 800-172, targeting critical national security programs.
- Self-Assessments and Third-Party Assessments
-
- Level 1 allows for annual self-assessments.
- Level 2 requires third-party assessments (C3PAOs) for contracts involving sensitive CUI.
- Level 3 involves government-led assessments for the most critical programs.
- Flexibility Through Plans of Action and Milestones (POA&Ms)
-
- Contractors are now allowed to submit POA&Ms for certain non-compliant items, providing additional flexibility in achieving certification. However, high-priority requirements must still be met for contract eligibility.
- Streamlined Rulemaking
-
- The CMMC 2.0 rulemaking process has been accelerated to address industry feedback and improve clarity. The final rule reflects this streamlined approach, with an emphasis on cost-effectiveness for small and medium-sized businesses.
When Does CMMC Go Into Effect?
The CMMC final rule became effective on December 16, 2024. However, its implementation will be phased over the next three years. The DoD plans to include CMMC requirements in select contracts in fiscal year 2025, with full implementation expected by 2028.
CMMC Rulemaking Timeline
Understanding the timeline of the CMMC rulemaking process helps contextualize its development.
- CMMC 1.0 (2020):
- Introduced a five-level certification framework.
- Aimed to enhance cybersecurity across the DIB.
- CMMC 2.0 Announcement (2021):
- Streamlined to three levels.
- Aligned with existing NIST standards.
- CMMC Proposed Rule (July 2023):
- Opened for public comment, incorporating industry feedback.
- CMMC Final Rule Release Date (October 2024):
- Published in the Federal Register on October 15, 2024.
- Effective as of December 16, 2024.
Is CMMC 2.0 Rulemaking Complete?
Yes, the CMMC 2.0 final rule signifies the completion of the rulemaking process. The DoD has incorporated feedback from stakeholders and aligned CMMC requirements with federal cybersecurity standards. Contractors now have clear guidance on what is required to achieve compliance.
Is CMMC Required Now?
As of December 2024, CMMC requirements are not yet mandatory for all contracts. The DoD will gradually introduce these requirements through a phased rollout, starting with high-priority contracts in fiscal year 2025. Contractors are encouraged to begin preparing for compliance as soon as possible to avoid disruptions.
What is the Deadline for CMMC Compliance?
The deadline for full CMMC compliance depends on the specific contracts being pursued. For most contractors, the DoD will begin requiring compliance on new contracts starting in fiscal year 2025. Full implementation across all applicable contracts is expected by 2028.
CMMC Compliance: What You Need to Do Now
To prepare for CMMC compliance, contractors should take the following steps.
- Assess Your Current Security Posture:
- Conduct a gap analysis to determine how well your current practices align with NIST SP 800-171 and the applicable CMMC level.
- Implement Necessary Controls:
- Address any deficiencies identified in the gap analysis, focusing on high-priority controls required for certification.
- Document Policies and Procedures:
- Ensure that your cybersecurity policies and procedures are well-documented, as these will be reviewed during the CMMC assessment process.
- Engage a C3PAO:
- For Level 2 certifications, work with a certified third-party assessment organization (C3PAO) to prepare for and undergo assessments.
- Stay Updated on CMMC News:
- Follow the latest updates from the DoD to stay informed about changes to the CMMC program or implementation timelines.
What is the Latest Version of CMMC?
The latest version of the Cybersecurity Maturity Model Certification is CMMC 2.0, finalized in 2024. This version simplifies the framework while maintaining robust security requirements, making it more accessible for contractors of all sizes.
CMMC Updates 2024: What’s New?
The release of the CMMC final rule in 2024 brought several significant updates.
- Clear guidelines on self-assessments, third-party assessments, and government-led reviews.
- Flexibility through POA&Ms, allowing contractors to address certain deficiencies over time.
- Streamlined compliance requirements, reducing costs for small businesses.
Final Thoughts on the CMMC Final Rule
The CMMC final rule marks a major milestone in the DoD’s efforts to secure the Defense Industrial Base against cyber threats. With the implementation of CMMC 2.0, contractors now have a clearer path to compliance, ensuring the protection of sensitive information. While the phased rollout provides time to prepare, organizations should act proactively to meet these requirements and maintain their eligibility for DoD contracts.
By staying informed about CMMC news, updates, and timelines, defense contractors can position themselves for success in an increasingly secure and resilient supply chain.
For any CMMC questions or needs, please feel free to contact our team at Linford and Company LLP.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.