CMMC 2 Compliance In 2024 And Beyond—What DoD Contractors Need To Know

March 11, 2024
CKSS CMMC DFARS Compliance Consultants cybersecurity operations security

CMMC 2.0 Public Comments Wrapped Up In February, So What’s Next?

We’ve been posting articles for several years now documenting the genesis and evolution of the Cybersecurity Maturity Model Certification (CMMC) program, starting with v1.0.

We get it. Many of you have been too busy running your business to stay abreast of the rulemaking process and all of its intricacies.

That’s why we’re here.

The entire CKSS team has been busy paving the way for small and medium-sized DoD contractors to achieve CMMC compliance with timely, efficient, cost-effective solutions.

In this post, we’ll give you the information you need to address CMMC 2.0 in 2024 and beyond. Here’s what you’ll take away: 

  • How To Assess Your Current State Of CMMC 2 Operational Readiness In The Context Of The Impending Final CMMC 2 Rule
  • How To Evaluate Your Timelines For CMMC 2 Implementation 
  • How To Formulate Your Company’s Custom Action Plan

We’re also going to talk about industry-tested solutions.

CKSS blog CMMC

Courtesy of CKSS Security Solutions

So let’s get started.

How To Assess Your Current State Of CMMC 2 Operational Readiness In The Context Of The Impending Final CMMC 2 Rule

Let’s do a quick review of the goal of CMMC 2.0. The program is intended to ensure the secure handling of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). DoD CIO sums it up nicely:

DoD’s intent under the CMMC program is to require assessment against the required cybersecurity standards (i.e., NIST SP 800-171) only when safeguarding of CUI is required. For some programs or some CUI, DoD will require certification based on assessment by a C3PAO or the Government, rather than relying on a self-assessment. If a DIB company does not process, store, or transmit CUI on its unclassified network, but does process, store or handle FCI, then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

The TL/DR?

If your company is handling FCI or CUI, you will need a Level 1 self-assessment, per the FAR clause, or a Level 2 assessment from a C3PAO. The CMMC Level 2.0 certification requirements use NIST SP 800-171 as the reference document.

Now let’s talk about some upcoming timelines.

How To Evaluate Your Timelines For CMMC 2 Implementation 

The public comment period for the proposed CMMC 2 rule officially closed on February 26.

CKSS blog CMMC

 Courtesy of Regulations.gov

There were hundreds of comments on the rule. So our best guess, given DoD’s history with rulemaking, is that the final rule will be published in early 2025. That’s when we think CMMC 2 implementation will kick off and DFARS clause 252.204-7021 will start showing up in contracts.

DoD has made it clear that CMMC 2.0 compliance requirements will roll out over three years after the publication of the final CMMC 2 Rule.

So the burning questions are—which contracts will it show up in and when? And can you afford to get caught unprepared on a large contract?

Remember, if you’re handling FCI only, you can self-assess. If you’re handling CUI you’ll need an assessment from a C3PAO. If you’re downstream of a subcontractor or a prime, they may also insist that you have a Level 2 certification.

We’re estimating that it will take 3-5 months for a typical Level 1 assessment and control implementation.

Experience also tells us that the timeframe for a CMMC 2.0 Level 2 assessment, implementation, and certification process is in the 12-24 month range.

Are you and your team ready for a potential CMMC 2 operational readiness requirement in Q1 2025?

How To Formulate Your Company’s Custom Action Plan

Let’s determine where you are, where you need to get to, and your CMMC assessment timeline together. We have the cost-effective, purpose-built templates and tools you need to get started today.

Our CMMC/DFARS templates are user-friendly and pre-filled with the most critical documentation. You simply follow the instructions in the sidebar and fill in your company-specific information. 

The bottom line?

Our CMMC/DFARS templates save you time, money, and resources so you can become compliant faster.

According to DoD, there are over 220,000 contractors that will need to be CMMC 2.0 certified as the program rolls out over the coming years. Is it time for you to get your CMMC 2 implementation and certification plan in place?

CKSS blog CMMC

Courtesy of DoD-The Federal Register

You Need A Trusted Partner With CMMC 2.0 Compliance Experts, Tools, Templates, And Solutions Ready To Deploy  

Now is a great time for you to take control of your CMMC 2 implementation and certification plan.  

Check out our customizable NIST SP 800-171/CMMC Full Compliance Toolkit for federal contractors, small and medium-sized companies, military engineers, and Fortune 500’s.

These are just some of the features:

  • Includes 72 NIST/CMMC Documents
  • Bonus–DFARS/NIST 171/CMMC Roadmap
  • Bonus–CUI Discovery Worksheet
  • Bonus–NIST 171/CMMC Checklist
  • NIST 171/CMMC Policies
  • BYOD Policy
  • Mobile Device Policy
  • NIST 171/CMMC Procedures
  • Incident response and Contingency plans
  • Training Documents
  • Email Support  

That’s a lot to digest, so you probably have questions.

Let’s get you the answers you need.

Schedule your live demo with a CKSS professional today.

You can also call us anytime at 443.464.1589 or get in touch with our team online

We’re ready for CMMC 2.0. Are you?