Companies looking to become compliant should have started their security and compliance journey in Q3 of 2023. It takes a company an average of 12-18 months to complete the 7 Steps of CMMC.
The CMMC rule was published on December 26, 2023. Companies looking to become CMMC compliant should start their journey now. It takes a company an average of 12-18 months to complete the 7 Steps of CMMC Compliance, plus 9-15 months to get a CMMC assessment.
See the timelines below to plan out your CMMC journey and ensure that you're prepared in time.
Here's what you need to know about when CMMC compliance will be required:
- The CMMC Proposed Rule was published on December 26, 2023.
- It takes an average of 12-18 months to prepare for a CMMC assessment.
- CMMC assessments will be available in Q1 2025.
- Due to the shortage of CMMC assessors, the approximate wait time for a CMMC assessment is 3-5 quarters (9-15 months).
- The phased roll out of CMMC as a contractual requirement will begin around Q3 of 2025.
How long does it take to get CMMC compliant?
It typically takes organizations anywhere from 12-18 months to prepare for an assessment, plus 9-15 months to get your CMMC assessment.
How do I know if I need to be CMMC compliant?
Check your existing contract requirements to determine your appropriate level of CMMC, If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
What should I do next to become CMMC compliant?
Speak with an expert here at Summit 7 to get clear next steps for your organization.
Then, download our CMMC Readiness Brief for an overview of the steps required for CMMC compliance.
What is the CMMC Compliance Deadline Update for 2024?
As of May 2024 Department of Defense has officially submitted the proposed 48 CFR CMMC rule for regulatory review. This milestone allows us to estimate the timeline for the implementation of CMMC regulations. The delays have been addressed, signaling that contractors need to start preparing for the upcoming CMMC roll-outs—yes, there are two distinct roll-outs to anticipate.
Watch the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
Are There Two CMMC Rules?
Indeed, there are two separate CMMC rules. (For more details, check out our webinar)
What is the 32 CFR CMMC Rule?
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a proposed rule in December 2023, will officially make certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
What is the 48 CFR CMMC Rule?
The second rule updates the DFARS contract clause 252.204-7021, which outlines the Cybersecurity Maturity Model Certification Requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, needs revisions to reflect changes from CMMC 1.0, including the reduction from five to three levels, allowances for temporary findings (POAMs), and the introduction of a waiver process.
Once both rules are finalized and effective, contractors will know the required CMMC certification level for specific contracts based on their 7021 clause. The procedures for assessment, including requirements and allowances for temporary deficiencies, will be detailed in Title 32 of the CFR.
When Will CMMC Be Published?
The submission of the 48 CFR CMMC rule in May 2024 sets an expectation for its publication in August 2024.
Following a standard 60-day public comment period ending in October 2024, the DoD will review and adjust the rule before resubmitting the final version to OIRA—a process that typically spans around 280 business days. The rule will become effective 30 to 60 days post-approval, likely by Q4 2025.
Regulatory review by OIRA takes up to 90 days, with a possible 30-day extension. Once approved, the proposed and final rules are published in the Federal Register, opening them up for public comment. Submitting the 48 CFR CMMC rule for review offers a clear timeline to estimate the remaining process.
The Pressure is Coming: Two CMMC Rollouts
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out" will begin once the 32 CFR CMMC rule is effective, allowing early adopters and competitors to seek certification voluntarily, even before the DoD requires it in contracts. Large prime contractors may also require their suppliers to get certified, accelerating the market roll-out.
The "phased roll-out" will start once the 48 CFR CMMC rule is finalized, enabling the DoD to include specific CMMC level requirements in contracts and solicitations.
Defense contractors will face mounting pressure to achieve CMMC certification long before it becomes a contractual requirement, with this pressure anticipated to start in Q4 2024.
