Skip to content
All posts

CMMC Proposed Rule Public Comment Period Ends - What You Need To Know!

We wanted to reach out and give you a high-level summary of the CMMC proposed rule along with our estimated CMMC timeline.  The public comment period ended 2/29/2024.  CyberNINES did provide comments as part of a group submission that Scott Singer led. 

High level:

  1. Our current estimated timeline:
    1. C3PAO Assessments could be authorized and begin as early as Q1 2025
    2. CMMC DFARS could start showing up in contracts by Q3 2025
  1. CyberNINES believes that there will be a push by primes to get subs to complete their C3PAO Assessments before it is required in DFARS, i.e., after Q1 2025
  2. External IT managed service providers (DoD calls them ESPs) must also meet the level of the company they are supporting and get a C3PAO Assessment


Medium Level:

  1. There are two rules, 32CFR and 48CFR. 
    1. 32CFR describes the CMMC program and authorizes C3PAOs to do assessments
    2. 48CFR creates the DFARS that will show up in contracts as DFARS 252.204-7021
  1. The 32CFR CMMC Proposed Rule was released on 12/26/23, with the public comment period ending 2/26/24, projected final rule by ~ Oct 2024
  2. The 48CFR rule will come out in ~ May 2024 and be completed by ~ May 2025
  3. Phased roll out of CMMC Assessments starting ~ Q3 2025 and expected in all contracts by ~ Q1 2027
  4. Majority of our clients will need to have a CMMC Level 2 Assessment performed by a third party
    1. Level 1 (FCI) will be self-assessed,
    2. Level 2 (CUI) will be assessed by a CMMC Third Party Assessor Organization (C3PAO)
    3. Level 3 (large Primes) will be assessed by DOD DIBCAC after a L2 C3PAO Assessment
  1. Every 3 years a C3PAO assessment will be required and in the off years self-assessments with a SPRS score will be required to be entered by a senior official of the company


And of course, please reach out if you have any questions.