The Cybersecurity Maturity Model Certification (CMMC) Program is a major initiative aimed at improving cybersecurity across organizations working with the Department of Defense (DoD). It ensures companies handling sensitive defense information meet the stringent security requirements of NIST SP 800-171 Rev 2. To help you stay ahead, FutureFeed has developed this comprehensive timeline.
This timeline outlines the phased implementation of the CMMC Program and its projected start dates, giving you the clarity needed to plan your business’ NIST SP 800-171 implementation goals with key assessment milestones. By aligning your efforts with these dates, you’ll be better prepared to meet assessment requirements and maintain eligibility for DoD contracts.
Here’s a phase-by-phase breakdown on what to expect. These dates are projections based on typical federal timelines but are subject to change as government priorities evolve.
But First, What Are the Driving Regulations?
- 32 CFR Part 170: This is the CMMC Program, outlining who needs to comply, what they need to do, and when. If your business handles DoD contracts, this is your playbook.
- 48 CFR Part 204: This regulation embeds CMMC requirements into DoD contracts, via DFARS contract clause, ensuring compliance is tied directly to eligibility for contract awards.
These regulations set the foundation for the rules and timelines driving the CMMC Program phased implementation.
Phase 0: DoD Final Contract Acquisition Rule - The Starting Point
The journey begins here. Once this regulation takes effect, projected for Q2 2025, DoD contracts and solicitations will officially include CMMC requirements. This marks the foundation for the phased approach outlined in the CMMC Program and sets the stage for all subsequent phases.
Phase 1: CMMC Level 1 and Level 2 Self-Assessments
- Expected Start: Q2 2025
- What to Expect:
- DoD will include Level 1 or Level 2 self-assessment requirement for all applicable DoD solicitations and contracts as a condition of contract award.
- DoD may, at its discretion, include Level 1 or Level 2 self-assessment requirements for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date.
- DoD may also, at its discretion, include the Level 2 C3PAO certification assessment requirement in place of the Level 2 self-assessment requirement for applicable DoD solicitations and contracts.
Phase 2: CMMC Level 2 Certification Assessments (C3PAO)
- Expected Start: Q2 2026
- What to Expect - In addition to Phase 1 requirements:
- DoD will include the Level 2 C3PAO certification assessment requirement for applicable DoD solicitations and contracts as a condition of contract award.
- DoD may, at its discretion, delay the inclusion of the Level 2 C3PAO certification assessment requirement to an option period instead of as a condition of contract award.
- DoD may also, at its discretion, include the Level 3 DIBCAC assessment requirement for applicable DoD solicitations and contracts.
Phase 3: CMMC Level 3 Certification (DIBCAC)
- Expected Start: Q2 2027
- What to Expect - In addition to Phase 1 and 2 requirements:
-
- DoD will include the Level 3 DIBCAC assessment requirement for applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date.
- DoD may, at its discretion, delay the inclusion of the Level 3 DIBCAC assessment requirement to an option period instead of as a condition of contract award.
-
Phase 4: Full CMMC Implementation
- Expected Start: Q2 2028
- What to Expect:
- DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
Why Track These Dates?
Keeping an eye on these dates ensures you’re prepared for upcoming requirements. Here’s why it’s essential:
- Stay Competitive: Ensure your eligibility for new contracts.
- Avoid Last-Minute Rush: Plan your compliance efforts in advance.
- Demonstrate Readiness: Show potential partners and the government that your business is ahead of the curve.
By aligning your NIST SP 800-171 implementation and CMMC assessment plans with this timeline, you’ll stay on track and ready to meet DoD requirements.
Wrapping It Up
The journey to CMMC compliance doesn’t have to be daunting. With this timeline, you have a clear roadmap to follow. By staying proactive and aligning your efforts with these projected dates, you’ll ensure readiness and maintain your competitive edge. FutureFeed is here to support you every step of the way.
Stay tuned for updates! FutureFeed will update this timeline as dates evolve and new information becomes available.
Key Terms and Acronyms
To help you navigate this article, here are some quick and easy definitions of the key terms and acronyms used throughout:
- CFR (Code of Federal Regulations): is the official compilation of all permanent rules and regulations issued by the federal agencies and executive departments of the United States government. In this article, it refers to regulations governing CMMC and cybersecurity requirements.
- FAR (Federal Acquisition Regulation): The primary set of rules governing all federal procurement processes. FAR ensures consistency and fairness in government contracting.
- DFARS (Defense Federal Acquisition Regulation Supplement): is a set of rules and guidelines that the DoD uses to regulate how it buys goods and services from contractors. It supplements the Federal Acquisition Regulation (FAR) with specific requirements for DoD contracts, including cybersecurity, compliance, and security standards.
- C3PAO (Certified Third-Party Assessment Organization): Organizations authorized to conduct official CMMC certification assessments.
- DIBCAC (Defense Industrial Base Cybersecurity Assessment Center): A DoD entity responsible for conducting Level 3 CMMC assessments and ensuring compliance for high-sensitivity contracts.
References
This timeline is based on insights from:
- Federal Register: Tracking updates to 32 CFR Part 170 and 48 CFR regulations.
- DoD Acquisition Regulations (DFARS): Insights into 48 CFR Part 204.
- Federal Rulemaking Trends: Historical data to estimate regulatory timelines.
FutureFeed’s expertise and these trusted sources provide a reliable guide to navigating CMMC requirements.