The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 program is poised to roll out at any time, as soon as the draft acquisition rule is finalized. The hope has been to begin including CMMC requirements in contracts by mid-2025.
Yet many SMBs in the US defense industrial base (DIB) remain unclear on when they need to achieve CMMC compliance. This short article spells out the DoD’s current phased rollout timetable, including remaining unknowns.
Does CMMC 2.0 apply to my company?
CMMC 2.0 requirements will apply to all DoD solicitations and contracts that require a defense contractor or subcontractor to store, process, or transmit FCI or CUI on their own unclassified information systems. This includes contracts for the acquisition of commercial items. There is a limited CMMC compliance exemption for contracts that pertain entirely to commercially available off-the-shelf (COTS) items.
Any cybersecurity requirements that pertain to a prime contractor will likewise “flow down” to any subcontractor that interacts with the prime’s FCI and/or CUI.
When can the DoD start rolling out CMMC?
CMMC’s 48 CFR rule must be final before the DoD can begin the planned CMMC phased rollout. At that point, CMMC certification requirements and other CMMC language can finally begin appearing in DoD contracts or subcontracts.
The phased CMMC rollout will begin on the date the final DFARS 48 clause is published. The first phase is to implement CMMC Level 1 (Foundational) requirements in contracts that contain federal contract information (FCI). CMMC Level 2 (Advanced) certification requirements for contracts containing CUI will start appearing in DoD contracts one year later (e.g., mid-2026). CMMC Level 3 (Expert) certification requirements for contracts dealing with the most sensitive CUI will follow another year later (e.g., mid-2027).
Could Trump’s deregulation mandate derail CMMC?
While the Trump administration’s regulatory freeze has been lifted, Trump has issued an executive order requiring agencies to rescind ten or more rules or regulations for every new rule approved. The DoD acknowledges that the CMMC acquisition rule could be delayed by that process, but still hopes it can be finalized by mid-2025.
Most experts are betting that CMMC 2.0 will ultimately survive the regulatory retrenchment because of its criticality to national security, and because CMMC was initiated during Trump’s first term. But it’s possible that new appointees will reevaluate the program and attempt to scale it back.
What about getting a waiver on CMMC certification?
Up until the CMMC rulemaking is final, DIB orgs can bid on DoD contracts because they won’t yet require CMMC certification. But once the CMMC phased rollout begins and contracts start mandating CMMC compliance, only companies that have achieved CMMC compliance at the required level will be able to bid.
What about the waiver program that has been part of CMMC 2.0? According to a recent memo, DIB orgs cannot request waivers. Instead, the program manager and contract activities dictate whether a waiver might be requested for an individual procurement or a class of procurements, subject to executive-level approval. Waivers will not be available for procurements requiring performance by cleared defense contractors.
The DoD states that waivers are unlikely to apply to CMMC Level 1 and CMMC Level 2 self-assessment procurements. Waiving the Level 2 or 3 third-party assessment requirements will also be very rare. Importantly, waivers apply only to the need for an assessment, not compliance with the cybersecurity requirements mandated by the contract.
The memo further clarifies that CMMC Level 2 self-assessments will only apply to contractors whose CUI does not fall under any of the categories under the National Archives CUI Registry Defense Organizational Index Grouping. Examples of Defense Index CUI include Controlled Technical Information, DoD Critical Infrastructure Security Information, and Unclassified Controlled Nuclear Information – Defense.
In short, DIB orgs should not count on a waiver or self-assessment option to help them sidestep the CMMC 2.0 requirements, as the DoD plans to enforce these wholesale across the DIB.
Should we wait to see what happens with CMMC?
The rule defining the CMMC program (32 CFR) has been finalized. But the rule that enforces CMMC 2.0 compliance within DoD contracts (48 CFR) has not been classified as final, although public comment on it closed on October 15, 2024.
48 CFR is still subject to changes as noted above, and the DoD cannot yet implement CMMC 2.0. It is also possible that Congress could block CMMC from going into effect.
But gambling on CMMC “going away” has a steep downside for multiple reasons:
- Lax cybersecurity among DIB SMBs means continued success for US adversaries who relentlessly exfiltrate CUI and other sensitive data.
- Lax cybersecurity puts SMBs at risk for data breaches and other incidents that come with big price tags to address operational, legal, and reputational damages, including the loss of potential defense contracts. The longer it takes you to bolster security, the greater your risk of a major incident.
- Whatever happens with CMMC, it seems unlikely that DIB orgs handling CUI will see a significant downsizing of their cybersecurity compliance requirements from what has been in place (self-attested compliance with NIST 800-171, equivalent to CMMC Level 2).
- If and when CMMC 2.0 language starts appearing in DoD contracts, there will be a scramble to achieve CMMC certification and many organizations will be unable to bid on contracts while they wait for their third-party assessments.
- For the sake of their own competitiveness and security, prime contractors are already requiring their subs to meet CMMC requirements ahead of the rulemaking.
Despite being subject to NIST 800-171 requirements since 2016, DIB SMBs that handle CUI continue to state that they do not feel prepared for CMMC Level 2 compliance. Problems most frequently cited include resource constraints, technical complexity of the mandated controls, difficulties establishing CMMC scope, and questions about interpreting the requirements.
A ballpark average timeframe to get the CMMC assessment ready is approximately 12 months. Thus, the safest course for DIB SMBs is to step up now and prioritize a cybersecurity and compliance reporting program that aligns with NIST 800-171/CMMC.
With that approach, the odds are better that your business can achieve CMMC certification in time to bid on contracts requiring CMMC Level 2 when those likely become ubiquitous in (most likely) 2026. If you come up short, you will be unable to continue bidding on defense contracts.
What’s next?
As a CMMC Registered Provider Organization (RPO) with over 20 years’ experience helping SMBs achieve provable security and compliance, CBIZ Pivot Point Security can guide your organization to a successful CMMC certification at your designated level. We tailor our consulting services to your unique scenario, working with you to determine the optimal path for your organization to achieve and maintain CMMC compliance.
To connect with a CMMC expert about your cybersecurity goals and concerns, contact CBIZ Pivot Point Security.
