CMMC Program Proposed Rule Published in the Federal Register: Insights Into the Proposed Rule and When CMMC 2.0 Will Be Required
January 4, 2024
Stay Connected
On December 26, 2023, the proposed rule for the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Program was published in the Federal Register. Comments to the proposed rule are due by February 26, 2024.
What does the CMMC proposed rule mean for DoD contractors or contractors looking to do business with the DoD?
Listen to Eric Poppe, a Managing Director in Cherry Bekaert’s Government Contractor Industry practice and Brian Kirk, Senior Manager in the Firm’s Information Assurance & Cybersecurity practice, as they share insights into the proposed rule, including the surprises that came out and DoD’s timing for implementation through contracts.
- Refresher on CMMC Level 1 Self-Assessment, CMMC Level 2 Self-Assessment + CMMC Third-Party Assessment Organization (C3PAO) Assessment, and CMMC Level 3 Government-Led Assessment
- Equivalency: Cloud Service Provider (CSP) and External Service Provider (ESP)
- Phased Implementation (DoD rollout in solicitations)
- Final Certification vs. Conditional Certification
- CMMC Level 3 requires a CMMC Level 2 Final Certification
- Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High conversion to CMMC Level 2 Final Certification for prefect scores
- Cost Considerations
When will CMMC 2.0 compliance be required for DoD contracts?
The below table outlines DoD’s four implementation phases.
Phase |
Summary |
Timeline |
| Phase 1 |
|
Begins on the effective date of the CMMC revision to DFARS 7021. |
| Phase 2 |
|
Begins six months following the start date of Phase 1. |
| Phase 3 |
|
Beings one calendar year following the start of Phase 2. |
| Phase 4 |
|
Begins one calendar year following the start date of Phase 3. |
How do I prepare for CMMC certification?
If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.
Cherry Bekaert is an authorized CMMC Third-Party Assessment Organization (C3PAO) by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Inc. (The Cyber AB). We assist Organization’s Seeking Certification (OSCs) with CMMC readiness assessments for Levels 1, 2 and 3. Additionally, as an authorized C3PAO, Cherry Bekaert partners with the Defense Contractor Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under their Joint Surveillance audit program to perform DIBCAC High (NIST 800-171) Assessments which are convertible to CMMC Level 2 Certification, if a perfect score is obtained.
Having undergone Level 2 assessment as a Firm, Cherry Bekaert has a deep understanding of the assessment process to guide DoD contractors seeking a CMMC assessment.
Catch up on Cherry’s Bekaert’s previous guidance pertaining to CMMC 2.0:
- Podcast: How Will NIST Special Publication (SP) 800-171, Revision 3 Impact CMMC?
- Article: Updated Projected Timeline for CMMC: What this Means for Contractors and How to Prepare for Certification
- Podcast: Final CMMC Rule: March 2023 Update
- Podcast: CMMC 2.0 – Where Does It Stand?
- Podcast: What’s New with CMMC 2.0?: August 2022 Update
- Podcast: CMMC 2.0 Brings Major Program Changes
- On-Demand Webinar: CMMC 2.0 Brings Major Program Changes