Cybersecurity Maturity Model Certification (CMMC) Program Final Rule is Here!

Nick Yankanich, Consultant at ivision November 21, 2024

The Department of Defense’s long-awaited Cybersecurity Maturity Model Certification (CMMC) program has officially cleared the regulatory review process and has moved onto Congressional Review. Having been under review by the Office of Information and Regulatory Affairs (OIRA) since June 2024, the proposed cybersecurity compliance program cleared this initial regulatory hurdle on September 13th, when OIRA approved the Final Rule for the CMMC Program. This meant that no further changes can be made unless the House, Senate, or President decide to overturn it.

According to the Congressional Review Act (also known as the Small Business Regulatory Enforcement Fairness Act) – new Final Rules must be sent to Congress and the Government Accountability Office for review before they take effect, and further states that Major Rules (i.e. those requiring OIRA review) must be effective at least 60 days after the date of publication in the Federal Register, allowing this time period for Congressional Review. If Congress were to pass a resolution of disapproval, which is then signed by the President (or if the President were to veto a Congressionally approved rule), the Final Rule would then become void and cannot be re-published for review again in its current form. However, the likelihood of the Final Rule being disapproved by Congress or the President are slim. Since 1996, when this process began, only one rule has been disapproved.

Although the DoD published the Final Rule for the CMMC Program into the Federal Register on October 15th, The DoD’s follow-on DFARS acquisitions rule change to implement CMMC via contracts and as a part of the DoD’s acquisitions process – 48 CFR part 204 (CMMC Acquisitions Rule) – is not anticipated to be finalized and published until early to mid-2025 – at which time the DoD will initiate the phased CMMC rollout, and CMMC requirements will begin to be included in solicitations and contracts. So, although the CMMC Final Rule states that the effective date of the CMMC program is 12/16/2024 – exactly 60 days after the publication of the CMMC Program in the Federal Register, the phased rollout and implementation timeline will not begin until the proposed CMMC Acquisitions Rule (48 CFR part 204) is finalized and published. Nevertheless, the DoD has stated that it plans to finalize and publish the CMMC Acquisitions Rule “in early to mid-2025,” stating that, “the DoD’s objective timeline is to begin implementing the CMMC requirements has been, and remains, FY 2025.”

However, while there is some time buffer between the CMMC Final Rule’s effective date of December 16th, 2024, and the anticipated finalization and publication of the CMMC Acquisitions Rule in early to mid-2025, which will initiate the CMMC phased implementation process, CMMC is here – and if you’ve been waiting to see if and when the time to act is to assess your program, remediate gaps, develop your audit strategy, and ready yourself for audit – the time to act is NOW.

Make the Most of the Time Remaining

For those defense contractors who have waited to begin identifying gaps, performing necessary remediations, and planning their audit approach in the hopes of additional delays establishing the program, or for additional bureaucratic and regulatory delays in finalizing and authorizing the program – reality should now be setting in. We have a deadline. The timeline is now set, and you can expect to begin seeing CMMC language in contracts in early to mid-2025.

So, based on where your contracts fall in the phased implementation plan, which was described in the Proposed Rule and remains largely unchanged in the Final Rule, you can calculate with a relative degree of accuracy when CMMC will start to impact your business. For analysis and guidance on the phased implementation approach, and aid in determining when your organization may see CMMC language begin appearing in your organization’s DoD RFPs and contracts, please see ivision’s prior blog post on this topic.

The CMMC rule will become law on December 16, 2024, which establishes the CMMC Program. The DoD’s follow-on DFARS rule change to implement CMMC (CMMC Acquisitions Rule) will then be published in early to mid-2025, at which time the phased rollout will begin, and CMMC language will begin to enter into some DoD contracts – requiring contractors to prove their CMMC compliance at the time of contract award. It will also require verification by contracting officers that all defense contractors have their CMMC compliance posted in the Supplier Performance Risk System (SPRS).

Additionally, as CMMC takes effect, it is not only your organization that must be compliant, but also that of all the subcontractors you engage with, who are supporting the DoD contract containing CMMC language. DFARS 7012/ DFARS 7020 mandates that defense contractors pass all CMMC requirements onto their subcontractors. This means every subcontractor that you engage for work on a DoD contract with CMMC language, is required to be CMMC compliant.

How Can ivision Help?

Whether you’re just getting started, already on your way towards CMMC compliance, or just need a second set of eyes on your CMMC planning and implementation, ivision can help you on your CMMC journey. As a Registered Provider Organization (“RPO”), ivision’s team of CMMC Registered Practitioners (“RP”), and CMMC Certified Professionals (“CCP”) are trained and ready to work with your team to accelerate your progress and provide the CMMC planning, governance development, and implementation guidance your organization needs. 

ivision has helped DIB contractors ranging from multi-billion-dollar manufacturers to small to mid-sized businesses working towards CMMC compliance. ivision has helped clients with: 

1. CMMC Assessment & Planning

2. CMMC Program Management

3. NIST 800-171 Program Building/Solution Design & Implementation

4. Mock Audits & Pre-Assessment Assistance

Whether you need help defining your CMMC scope, performing a pre-assessment and development of a Plan of Action and Milestones (POA&M), developing your CMMC governance collateral, managing your CMMC program, evaluating, selecting, and implementing security solutions, or building NIST 800-171/CMMC compliant security capabilities, ivision is ready to help you on your CMMC journey. Contact us today to get started. 

Tags