What’s happening with CMMC?

Over the course of the past year, one of the most common questions we have received is, “What’s happening with CMMC? Is there a rule yet?”

The exciting news is rulemaking for CMMC is moving and it is really coming. The slightly less exciting news is the final CMMC rule is still in the works, and the details of when implementation and the mandate will go into effect are still to be determined. Conservative estimates are forecasting the U.S. Department of Defense (DOD) Fiscal Year 2025 (this translates to late 2024 in the regular calendar year).

Didn’t I hear it was published?

The verbiage surrounding CMMC rulemaking may sound confusing. The DOD published a proposed rule on December 26, 2023. The proposed rule requires two months of public comment, followed by 180 days of review or addressing the comments. When the DOD publishes the final rule, it will take effect after 60 days. The proposed rule is a major step forward in CMMC coming to fruition. The public comment period ended on February 26, 2024. The DOD only received 368 public comments, which is less than half that of the first draft of CMMC.

What happens next?

The publication of the final rule will not translate to a requirement that all companies must be CMMC-certified by September 30, 2024, or by the end of 2024. There will be a roll-out period for CMMC to start appearing in contracts. The current rule provides for companies who receive their NIST 800-171 conformance statement now to be converted to a CMMC-certificate after the rule is published. Contractors delaying their compliance and certificate risk losing DOD contracts because companies with a CMMC certification will be viewed as less risky.

What should you be doing now?

The best thing right now is to make sure your organization is compliant with NIST SP 800-171r2 standards. Stay up to date with CMMC rulemaking, and be prepared to undergo your CMMC third-party assessment. Additionally, reach out to your contracting officers to understand their position on CMMC certification and when they expect CMMC certifications from their contractors. Complete as much as possible now so that when the CMMC rush begins, your company is ready and in the lead.

What about NIST SP 800-171r3?

You may be hearing some questions in the industry regarding NIST SP 800-171r3. NIST has stated they will release this revision to NIST 800-171 in the second or third quarter of 2024. Many contractors want to know if their CMMC assessment will be against revision two or revision three.

The CMMC proposed rule refers specifically to revision two, and DFARS 252.204-7012 points generally to the most current version of NIST 800-171. Contractors should focus on revision two now. There will be time for the industry to transfer to the newer revision three, but for the first round of CMMC assessments it is looking like 800-171r2 will be the key. Do not try to take on revision three now, particularly if you are not yet done with revision two compliance.

It is a complicated rulemaking and standard-updating landscape. If you would like to learn more about NIST 800-171, feel free to visit our website: https://www.smithers.com/services/audit/nist-800-171.