Back to Top Icon

Still Have Doubts About The Implementation of CMMC 2.0?

For the companies that think they can wait this out. The idea that CMMC won't actually be implemented is long gone. The DOD proposed rule is at your doorstep for everyone to read and understand. 


There has been plenty of discussion and information provided about what CMMC will require before the rule goes into effect. The good news is the proposed rule has laid out mostly what has been advertised over the course of the past two years since CMMC changed to CMMC 2.0. The Defense Department published the proposed rule for a 60-day comment period for the Cybersecurity Maturity Model Certification program.

Ethics and Conflicts of interest are discussed at length to ensure shortcuts aren't taken. Ensuring trust and confidence that when companies are assessed by C3PAOs there is impartiality. Conflicts of interest need to be disclosed, mitigated, avoided and documented prior to an assessment. 

Notable Information About the scope of External Service Providers, Cloud Service Providers, and Managed IT Service Providers:

- Managed IT Service Providers and Managed Security Service Providers will be able to get CMMC certified and will have to obtain the same level certification before their client can approach a C3PAO to get theirs. 

- Cloud service providers will be required to have FEDRAMP equivalency to satisfy CMMC compliance.

Although there are still questions about whether controls can be inherited from an ESP. The public comment period may clear this up. 

Rollout Timeline

Currently in a public comment period which allows for feedback to be provided to the DOD on the proposed rule.  Comments will likely not change much in the final rule. The proposed rule should be considered close to final. 

The public comment period ends February 26th

The DOD will then review Public Comments for approximately 12-18 Months. 

The final rule publication is expected to be effective between February and July of 2025 with CMMC in contracts via a phased roll out by Q1/Q2 of 2025. 

Only 2 percent of companies required to achieve Level 2 Compliance will be able to self assess.

Estimated Number of Entities by Type and Level

Start Now 

Companies waiting to start CMMC compliance risk falling behind in cybersecurity preparedness, potentially facing significant challenges when regulations become mandatory. Early adoption of CMMC practices ensures a strong cybersecurity posture, aligning with the Department of Defense's requirements for safeguarding sensitive information. Delay could lead to rushed implementation, higher costs, and potential exclusion from DoD contracts, emphasizing the importance of proactive engagement with the CMMC framework to maintain competitive advantage and ensure national security contributions. Don't be the target of investigations under the False Claims Act (FCA).

Experts estimate that implementation of CMMC controls into their cybersecurity program can take anywhere from 12- 18 months on average. So the time to act is right now. 

Share this post