Here in the last half of 2024, a lot of organizations are asking themselves, what should we do next? While it isn’t an absolute, even those most pessimistic are coming around to the understanding that the Cybersecurity Maturity Model Certification (CMMC) v2 has a very high probability of becoming a final rule and going into effect. From a practical perspective, it is likely that the requirement for CMMC will start appearing in contracts in Q1 2025, potentially February or March 2025. While the precise timing remains under debate, the practical fallout is that your organization needs to be close to becoming ready for CMMC today. 

All those webinars and conference speakers like me who said “Start now, before it’s too late” have changed our message to, “You’re late! Start now, before it gets even harder.” It is not uncommon for it to take 12 to 18 months to be fully prepared to pass a CMMC assessment.

Taking a broad look at the CMMC landscape, organizations likely fall into one of three categories:

1. The Prepared
2. A Little CMMC, Now and Then
3. Final Rule or No CMMC

Your company may be anywhere within one of the ranges. Let’s look at what you need to do to be ready, by category.

The prepared

This group is ready. Those who were able and eligible have applied for a Joint Surveillance Voluntary Audit (JSVA) and passed it. They are comfortable in the knowledge that when the rule passes, their JSVA results will convert into a three-year CMMC Level 2 certificate, and they have been working to figure out how to implement NIST 800-171 v3 even though it isn’t required today, because they know it is coming, and it improves their cyber posture.

The Prepared have a subgroup who couldn’t join the JSVA program, so they went down a different path. They worked with C3PAOs (CMMC Third-Party Assessor Organizations) for mock assessments and have already placed a deposit to be one of the first to go through their CMMC L2 assessment as soon as the rule is finalized. They are ready. Their documentation, processes, artifacts, and culture have all been tested and retested. They are ready to join the ranks of CMMC L2 certified, and like the JSVA group, they are also planning for NIST 800-171 v3.

The CMMC Prepared know they won’t miss out on any contracts, they are looking to gain new business when others aren’t ready, and they can. They have made cybersecurity a vital part of their go-to-market strategy and understand that incorporating cybersecurity into their business and culture is a strategic advantage. 

A little CMMC, now and then

This group is nervous. They know they should be ready, but they aren’t. Some have completed a self-assessment, but they haven’t independently verified it – meaning they don’t know if they are ready. The ones who have taken a hard introspective look will admit they need to do more.

This group is beginning to scramble. If they start the heavy lifting now, they might avoid missing out on contracts. They might be able to hire a C3PAO on their schedule if they are lucky. They are asking management for more funds and more support, explaining the situation they are in because, gasp, CMMC is going to happen after all! In all fairness, this is the same management team that chose not to invest earlier, did not make being prepared a company priority, and is now in a reactive mode. 

There may be a silver lining here. While this group is late and must start now, if they take CMMC seriously and devote adequate resources to it (people, money, and cultural change), they have a reasonable probability of being certified before losing out on defense contracts. They need to connect with a strong RPO (Registered Provider Organization) or C3PAO to help them prepare. They need to engage another C3PAO for the actual CMMC assessment, and they need to make a deposit to reserve their spot in line, since there will be many more organizations seeking certifications than the current RPOs and C3PAOs can process in a timely manner. This also time-bounds the preparation work they are undergoing, which will make the process harder and more expensive. The delays will cost extra effort and resources, but if they go all in now, they can set their business on track to be ready for CMMC on time, or at worst with minimal delays.

Final rule or no CMMC

This group decided that CMMC wouldn’t happen soon, and if it did, it wouldn’t hurt their business. They have on average 12-18 months of prep work before they will be ready for a C3PAO to assess them. They will struggle to find a good C3PAO or RPO to partner with, as most will already be engaged. The sad truth is that there are not enough qualified organizations to help, and the best ones are already being booked for future work. The supply of C3PAOs is far too small for the estimated 175,000+ contractors who will seek certification. 

This group has the real potential of losing work when either a DoD contract officer or their prime contractor requires a CMMC L2 certification. Members of this group should quickly self-attest and document that they meet CMMC L1, in hopes of capturing some work while they work toward CMMC L2, to help minimize their losses. While not required, using an RPO or C3PAO will lend assurance to the process and demonstrate that they are committed to making progress.

The future

Depending on which of these three categories your company falls into, the future looks very different. Most organizations are not CMMC Prepared, and those that are not likely have a lot of hard work ahead. 

CohnReznick is an RPO and a C3PAO. We have helped others pass their audits, and as a C3PAO, we have passed our own audits. We have experience spanning over a decade, back to when CMMC was simply a singular DFARS. No matter where you are in your CMMC journey, CohnReznick can help you catch up as quickly as possible.