October 21, 2022

Last Updated on January 19, 2024

When Do We Need to Be CMMC 2.0 Certified?

One of the biggest questions that keeps coming up with the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) V2 is, when does it go into effect? When do defense suppliers need to be CMMC certified?

On a recent episode of The Virtual CISO Podcast, these and many other top CMMC questions were answered by CMMC expert George Perezdiaz, CMMC/NIST Security Consultant and Federal Risk practice lead at Pivot Point Security. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.


Best guess on CMMC “launch date”

George notes a couple of points regarding the CMMC 2.0 rollout timeline:
• The planned schedule currently calls for CMMC rulemaking to be complete by May 2023.
• CMMC is expected (but not guaranteed) to start appearing in DoD contracts per the DFARS 7021 clause about 60 days after the rulemaking is complete, i.e., July 2023.


Can orgs bid on projects requiring CMMC if they are not yet CMMC Level 2 certified?

The answer to that question depends on when the bidding is happening.

Prior to the final CMMC rulemaking, it’s possible you could bid on DoD contracts because they won’t yet mandate CMMC, and it isn’t yet possible to be officially CMMC certified.

But once the rulemaking is complete and contracts start including DFARS 7021 clauses mandating CMMC compliance, you won’t be able to bid if you’re not compliant.

What about the CMMC v2 “waiver program”? That probably won’t be a factor for most DIB orgs, if it is ever confirmed. But depending on the criticality of the services that your business provides, as well as the DoD’s priorities and the availability of C3PAOs to perform certification assessments, it’s possible that some orgs could be granted extra time to achieve compliance. But this is not something to be counted on. The sooner you can be ready for your CMMC Level 2 assessment, the better off you will be.


How do we know which CMMC level we need to attain?

The CMMC level you need for a contract is specified in the contract. For example, if your contract has a FAR 52.204-21 clause, that means you need “basic safeguarding of covered contractor information systems” to protect federal contract information (FCI). This is equivalent to CMMC Level 1.

Does everyone in the DIB need some level of CMMC certification? Basically, yes. At a minimum, you need CMMC Level 1 compliance if you have a DoD contract. If you receive CUI or expect to receive CUI, you’ll need to transition up to CMMC Level 2.

“Either one of those is going to definitely be a requirement to play in that space, depending on the criticality of the programs and services you’re providing,” summarizes George.


What’s next?

To listen to the complete podcast with George Perezdiaz answering top CMMC questions, click here.

Interested in more CMMC v2 guidance? Here’s a relevant blog post: Important Clarifications on CMMC v2 from CMMC Day May 9, 2022