CMMC Compliance Deadline: When Do I Need to be CMMC Compliant? (Updated 2024)
Companies looking to become compliant should have started their security and compliance journey in Q3 of 2023. It takes a company an average of 12-18 months to complete the 7 Steps of CMMC.
SEPTEMBER 25, 2024 UPDATE: THE CMMC FINAL RULE WILL BE PUBLISHED ANY DAY NOW.
On December 26, 2023, the CMMC 2.0 proposed rule was published. We know this is a stressful time for many government contractors. We've provided a wealth of knowledge below, but if you need to speak with an expert now to get answers, fill out this form and we'll get in touch with you within 1-2 business days.
See the timelines below to plan out your CMMC journey and ensure that you're prepared in time.
Here's what you need to know about when CMMC compliance will be required:
- The CMMC Proposed Rule was published on December 26, 2023.
- It takes an average of 12-18 months to prepare for a CMMC assessment.
- CMMC assessments will be available in Q1 2025.
- Due to the shortage of CMMC assessors, the approximate wait time for a CMMC assessment is 3-5 quarters (9-15 months).
- The phased roll out of CMMC as a contractual requirement will begin around Q3 of 2025.
How long does it take to get CMMC compliant?
It typically takes organizations anywhere from 12-18 months to prepare for an assessment, plus 9-15 months to get your CMMC assessment.
How do I know if I need to be CMMC compliant?
Check your existing contract requirements to determine your appropriate level of CMMC, If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you'll need to be CMMC Level 2 compliant.
What should I do next to become CMMC compliant?
Speak with an expert here at Summit 7 to get clear next steps for your organization.
Then, download our CMMC Readiness Brief for an overview of the steps required for CMMC compliance.
What is the CMMC Compliance Deadline Update for 2024?
As of September 2024 Department of Defense the 48 CFR CMMC Proposed rule has been published. This milestone allows us to estimate the timeline for the implementation of CMMC regulations. The delays have been addressed, signaling that contractors need to start preparing for the upcoming CMMC roll-outs—yes, there are two distinct roll-outs to anticipate.
Watch the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
Are There Two CMMC Rules?
Indeed, there are two separate CMMC rules. (For more details, check out our webinar)
What is the 32 CFR CMMC Rule?
The first rule, known as the "32 CFR CMMC," codifies the CMMC program. This rule, published as a proposed rule in December 2023, will officially make certification assessments available on the market. National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations.
What is the 48 CFR CMMC Rule?
The second rule updates the DFARS contract clause 252.204-7021, which outlines the Cybersecurity Maturity Model Certification Requirements, to align with the 32 CFR CMMC program details. This clause, originally published in 2020, needs revisions to reflect changes from CMMC 1.0, including the reduction from five to three levels, allowances for temporary findings (POAMs), and the introduction of a waiver process.
Once both rules are finalized and effective, contractors will know the required CMMC certification level for specific contracts based on their 7021 clause. The procedures for assessment, including requirements and allowances for temporary deficiencies, will be detailed in Title 32 of the CFR.
When Will CMMC Be Published?
Following a standard 60-day public comment period ending in October 2024, the DoD will review and adjust the rule before resubmitting the final version to OIRA—a process that typically spans around 280 business days. The rule will become effective 30 to 60 days post-approval, likely by Q4 2025.
Regulatory review by OIRA takes up to 90 days, with a possible 30-day extension. Once approved, the proposed and final rules are published in the Federal Register, opening them up for public comment. Submitting the 48 CFR CMMC rule for review offers a clear timeline to estimate the remaining process.
The Pressure is Coming: Two CMMC Rollouts
With two distinct CMMC rules on separate publication schedules, the CMMC program will undergo two different roll-outs. The "market roll-out" will begin once the 32 CFR CMMC rule is effective, allowing early adopters and competitors to seek certification voluntarily, even before the DoD requires it in contracts. Large prime contractors may also require their suppliers to get certified, accelerating the market roll-out.
The "phased roll-out" will start once the 48 CFR CMMC rule is finalized, enabling the DoD to include specific CMMC level requirements in contracts and solicitations.
Defense contractors will face mounting pressure to achieve CMMC certification long before it becomes a contractual requirement, with this pressure anticipated to start in Q4 2024.