CMMC Final Rule and Implementation Update: What to Expect in 2024-2025 

As the CMMC Final Ruling and Implementation progresses, many organizations are left wondering what to expect in the coming months, and 2025. Recently, it was confirmed that the CMMC Final Rule is near completion and was submitted for final review. In the waiting period for publication, we wanted to provide a quick guide on what organizations need to know and how to prepare for the upcoming developments!  

The Current State of CMMC Compliance Regulations 

The updates to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, is a clear indicator the federal government has every intention of modernizing the security requirements developed to protect the confidentiality of CUI when this sensitive information resides within nonfederal organizations and organizational systems.   

On December 26^th, 2023, the DoD published a 60-day comment period for a proposed Cybersecurity Maturity Model Certification (CMMC) rule. Together, with contributions from the 60-day comment period, the DoD published a proposed final rule.  

Key Takeaways from CMMC Proposed Final Rule 

This rule addresses many concerns organizations had with the 2020 CMMC Legacy Model, CMMC Version 1.0, by allowing self-assessment for some programs and plans of actions and milestones (POA&Ms) for others, and further simplifying CMMC from five CMMC levels to only three (CMMC Level 1, 2, 3). This new model allows government officials to leverage a CMMC waiver request process for rare programs and offerors. The waiver can only be originated by the DoD Program Manager, not the DIB.  

One of the proposed rule’s biggest wins is its direct alignment with NIST SP 800-171 and 800-172 (CMMC Level 3).  

The CMMC final rule and its implementation timeline highlight the evolution and future direction of cyber risk management and governance for defense contractors. We further explore the critical historical and future milestones and updates in the journey toward enhanced cyber compliance within the defense sector.  

CMMC Framework and Final Rule Timeline  

CMMC Versions  
The CMMC framework has undergone several iterations to refine its requirements. In November 2020, CMMC v1 was published, followed by significant changes announced in December 2021 with the introduction of CMMC v2.  

Proposed Timeline for the CMMC Final Rule  
The proposed timeline for the CMMC final rule includes several key milestones:  

• December 26^th, 2023: The proposed CMMC rule was published in the Federal Register.  

• February 26^th, 2024: The public comment period closed.  

• May 2024: NIST published updates to NIST 800-171 Revision 3. Concurrently, the DoD issued a class deviation memo requiring defense contractors to comply with NIST SP 800-171 Rev 2, delaying the implementation of Rev 3 for at least two to three years.  

• Mid to Late 2024: Anticipated publication of the final rule.  

• Late 2024 to Early 2025: Expected start of CMMC requirements enforcement for defense contractors.  

CMMC Phased Approach  
The CMMC implementation will follow a phased approach:  

• Phase 1: Begins upon the final and effective date, likely in late 2024 or early 2025, focusing on self-assessment requirements.  

• Phase 2: Six months later, solicitations will require CMMC Level 2 certification assessments by a Certified Third-Party Assessment Organization (C3PAO) for awarding option periods.  

• Phase 3: One year after Phase 2, solicitations will include CMMC Level 1, 2, or 3 requirements, making CMMC a condition for contract awards.  

• Phase 4 (Full Implementation): One year after Phase 3, full implementation of all solicitations will include applicable CMMC-level requirements.  

The CMMC Final Rule Has Been Submitted—What Next? 

Recently the DoD has officially submitted the 32 CFR CMMC program rule and all supporting documentation for final review. This means that once approved, the next step in the Final Rule Stage is publication. After publication and the prescribed adherence period, organizations will be expected to meet the requirements of the official, final CMMC Program Rule.  

Conclusion: Moving Forward with CMMC 

The CMMC framework and its phased implementation timeline reflect the DoD’s commitment to enhancing cybersecurity across the defense industrial base. Defense contractors must stay informed and prepared to meet these evolving requirements, ensuring their systems and practices are strong, tested, and nimble enough to adjust to the constant changes in the regulatory landscape and overcome the many complexities we have yet to face. 

Fortunately, your organization doesn’t have to do this alone. SP6’s specialized Cyber Risk and Compliance consulting services pair your security and compliance personnel with seasoned, accredited CCPs & CCAs (Certified CMMC Professional & Certified CMMC Assessor). For trusted guidance and expertise throughout the anticipated final CMMC Program Rule, get in touch with us today!  

Sources:  

1. Defense Department Releases Companion Video for CMMC Public Comment Period > U.S. Department of Defense > Defense Department News 

2. Building a cybersecurity assessment capability > Defense Contract Management Agency > Article View (dcma.mil) 

3. FEDRAMP-EquivalencyCloudServiceProviders.pdf (defense.gov) 

4. USA002524-20-DPC.pdf (osd.mil) 

5. Department of Defense Issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems > U.S. Department of Defense > Release 

6. SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC (nist.gov) 

Talk to an Expert