CMMC Timeline Update

With today's publication of the Cybersecurity Maturity Model Certification’s (CMMC) proposed rule, a 60-day public comment period will end on February 26^th, 2024. This public comment period could be extended due to the length of the publication.

Under the new CMMC publication, the rule is listed as a proposed rule rather than an interim final rule. This means the proposed rule will go into effect after the agency responds to the public comments for the final rule. The public comment review period will usually last 12-18 months, meaning that CMMC will go into effect sometime between February and July 2025. Once CMMC goes into effect, the proposed rule will have a four-phased rollout.

The phased rollout will implement CMMC and the different levels over about 30 months. The ruling has left the DoD open to require solicitations and contracts to include a Self-Assessment or Certification Assessments before the effective date purely based on the DoD’s discretion. With the possibility of the DoD requiring a Self-Assessment before the effective date, ensuring that CMMC compliance is underway for your organization is imperative.

As we read through the publication more, we will keep you updated on any new information on CMMC and how you can better become compliant. As you get your CMMC compliance underway, check out Dustin Monney's recent blog that identifies six key skills you'll need to optimize your CMMC journey.