Podcast

CMMC Program Proposed Rule Published in the Federal Register: Insights Into the Proposed Rule and When CMMC 2.0 Will Be Required

calendar iconJanuary 4, 2024

Stay Connected

Cherry Bekaert Government Contractors Google Podcasts Cherry Bekaert Government Contractors Google Podcasts Cherry Bekaert Government Contractors Spotify Podcasts

On December 26, 2023, the proposed rule for the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Program was published in the Federal Register. Comments to the proposed rule are due by February 26, 2024.

What does the CMMC proposed rule mean for DoD contractors or contractors looking to do business with the DoD?

Listen to Eric Poppe, a Managing Director in Cherry Bekaert’s Government Contractor Industry practice and Brian Kirk, Senior Manager in the Firm’s Information Assurance & Cybersecurity practice, as they share insights into the proposed rule, including the surprises that came out and DoD’s timing for implementation through contracts.

  • Refresher on CMMC Level 1 Self-Assessment, CMMC Level 2 Self-Assessment + CMMC Third-Party Assessment Organization (C3PAO) Assessment, and CMMC Level 3 Government-Led Assessment
  • Equivalency: Cloud Service Provider (CSP) and External Service Provider (ESP)
  • Phased Implementation (DoD rollout in solicitations)
  • Final Certification vs. Conditional Certification
  • CMMC Level 3 requires a CMMC Level 2 Final Certification
  • Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High conversion to CMMC Level 2 Final Certification for prefect scores
  • Cost Considerations

When will CMMC 2.0 compliance be required for DoD contracts?

The below table outlines DoD’s four implementation phases.

Phase

Summary

Timeline

Phase 1
  • The DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may include:
    • CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
    • CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.
Begins on the effective date of the CMMC revision to DFARS 7021.
Phase 2
  • The DoD intends to include CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award.
  • The DoD may:
    • Delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award.
    • Include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.
Begins six months following the start date of Phase 1.
Phase 3
  • CMMC Level 2 Certification Assessment (requires a C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date of DFARS 7021.
  • CMMC Level 3 Certification Assessment requirements included for all applicable DoD solicitations and contracts as a condition of contract award.
Beings one calendar year following the start of Phase 2.
Phase 4
  • Full Implementation: The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
Begins one calendar year following the start date of Phase 3.

How do I prepare for CMMC certification?

If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.

Cherry Bekaert is an authorized CMMC Third-Party Assessment Organization (C3PAO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB). We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. Additionally, as an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance audit program to perform DIBCAC High (NIST 800-171) Assessments which are convertible to CMMC Level 2 Certification, if a perfect score is obtained.

Having undergone Level 2 assessment as a Firm, Cherry Bekaert has a deep understanding of the assessment process to guide DoD contractors seeking a CMMC assessment.

Catch up on Cherry’s Bekaert’s previous guidance pertaining to CMMC 2.0:

Questions? Contact Us

View all Government Contracting Podcasts