When will CMMC be in Contracts?

CMMC is expected to be codified by the end of 2024 and in some contracts in Q1 2025. However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements…ahead of the rule.

Preparing for CMMC Level 2

Given that CMMC will be in some contracts in Q1 2025, you need to get started on your compliance preparations as it takes 12-18 months for the average defense contractor to get assessment ready. Doing nothing is not an option. If you do not get CMMC Certification, you will not be able to win DoD contracts.

Protecting CUI is at the core of NIST and thus CMMC compliance. Moreover, it is not enough to simply protect your CUI, you also must provide adequate documentation to be able to prove that you are compliant. CMMC assessments will be conducted by C3PAOs at levels 2 and 3. C3PAO Assessors will require your System Security Plan (SSP) to document how you are meeting each assessment objective, as well as providing sufficient evidence to demonstrate that you are actively doing what is in your SSP.

Conclusion

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and keep CUI out of the hands of our country’s adversaries. By getting started on your organization’s compliance journey you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

Are you ready? If not, contact us today. The clock is ticking.