After years of speculation, delays, and anticipation, Cybersecurity Maturity Model Certification (CMMC) is finally here and real.

The Department of Defense (DoD) released a preview of the final CMMC rule on Oct. 11 and it was formally published  Oct. 15, with an effective date of Dec. 16, 2024. 

What does this mean for your organization?

The impact of the final CMMC rule will vary depending on your organization’s level of preparedness and the type of data your organization handles: Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If you only handle FCI, you only need to conduct a self-assessment at CMMC Level 1. If you receive or generate CUI, either a self-assessment or Certified Third-Party Assessor Organization (C3PAO) assessment at CMMC Level 2 will be required, depending on the contract. 

For those who have been proactive, the final rule includes clarifications on certification processes for External Service Providers (ESPs) and the use of Virtual Desktop Infrastructure (VDI) to simplify CMMC compliance. These organizations may only need to make minor updates, confirm their ESPs are on track, and collaborate with their preferred C3PAO to reserve time on their schedule for a CMMC assessment.

For organizations that have been actively following along but have not yet undertaken the necessary due diligence, immediate action is required. The DoD’s data suggests it could take up to seven years for all contracts to include CMMC requirements. However, no organization wants to be in a position where they cannot accept new work or renew existing contracts due to noncompliance. Prime contractors will also want assurance of readiness. These organizations should expect 3 to 12 months of work before they can schedule a C3PAO assessment. In the meantime, conducting a self-assessment at CMMC Level 1 is advisable.

For those who were counting on this day to never happen, the reality is that you now have 12 to 18 months of work ahead to achieve compliance. Starting with a CMMC Level 1 self-assessment is crucial to demonstrate your commitment. Engaging a strong Registered Provider Organization (RPO) can help expedite your progress.

It is essential to review your business practices, data flows, and policies to be sure they meet C3PAO standards. Additionally, given the limited number of RPOs and their resources, promptly securing an RPO agreement will help make sure your needs are prioritized.

Future clarifications and guidance

The DoD and the Cyber AB will issue further guidance in the coming months to provide additional clarity. While the question of when CMMC will be implemented has been answered, the remaining question is when your organization will be ready to participate.

How CohnReznick can assist

As both an RPO and a C3PAO, CohnReznick has been involved since the inception of cyber DFARS and the early discussions of CMMC at the DoD. We have successfully guided organizations through DIBCAC High assessments and CMMC preparations. We are ready to help your organization achieve CMMC compliance.