We wanted to reach out and give you a high-level summary of the CMMC proposed rule along with our estimated CMMC timeline. The public comment period ended 2/29/2024. CyberNINES did provide comments as part of a group submission that Scott Singer led.
High level:
- Our current estimated timeline:
- C3PAO Assessments could be authorized and begin as early as Q1 2025
- CMMC DFARS could start showing up in contracts by ~ Q3 2025
- CyberNINES believes that there will be a push by primes to get subs to complete their C3PAO Assessments before it is required in DFARS, i.e., after Q1 2025
- External IT managed service providers (DoD calls them ESPs) must also meet the level of the company they are supporting and get a C3PAO Assessment
Medium Level:
- There are two rules, 32CFR and 48CFR.
- 32CFR describes the CMMC program and authorizes C3PAOs to do assessments
- 48CFR creates the DFARS that will show up in contracts as DFARS 252.204-7021
- The 32CFR CMMC Proposed Rule was released on 12/26/23, with the public comment period ending 2/26/24, projected final rule by ~ Oct 2024
- The 48CFR rule will come out in ~ May 2024 and be completed by ~ May 2025
- Phased roll out of CMMC Assessments starting ~ Q3 2025 and expected in all contracts by ~ Q1 2027
- Majority of our clients will need to have a CMMC Level 2 Assessment performed by a third party
- Level 1 (FCI) will be self-assessed,
- Level 2 (CUI) will be assessed by a CMMC Third Party Assessor Organization (C3PAO)
- Level 3 (large Primes) will be assessed by DOD DIBCAC after a L2 C3PAO Assessment
- Every 3 years a C3PAO assessment will be required and in the off years self-assessments with a SPRS score will be required to be entered by a senior official of the company
And of course, please reach out if you have any questions.