Skip to content
What Does the Change to CMMC 2.0 Mean for Your Company? For one thing, it means that the time to begin preparing is now. Any business that contracts with the DoD or subcontracts with a business that sells to the DoD must achieve compliance.
The DoD has stated that CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. Since the announcement of CMMC 2.0 in November of 2021, the DoD has since maintained that the CMMC 2.0 rulemaking process could take anywhere from 9-24 months. According to their website, รขโฌลthe interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).
In fact, an Inside Cybersecurity article cites DoD Director of CMMC Policy, Stacy Bostjanick, who stated, รขโฌลWe are thinking, hoping, and praying that by next March [2023] we will be approved to get an interim rule. There will be a 60-comment period which will put us at the end of May 2023.รขโฌย If that timeline holds, contractors have no time to waste.
Further cementing the forward progress, Inside Cybersecurity announced in July 2022 that The Cyber AB is beginning the first official CMMC assessment on August 22, 2022, under the Pentagonรขโฌโขs รขโฌลjoint surveillance voluntary program,รขโฌย where a certified third-party assessment organization will conduct the examination and report the results to the Defense Contract Management Agency for final approval. These assessments are being led by accredited C3PAOs with supervision from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and will convert into CMMC assessments upon completion of CMMC Rule Making, expected in March 2023.
For many organizations, contracts with the DoD make up a significant part of their revenue. If your company is audited by the DoD and found to be non-compliant, you will be given a stop-work order until your company can implement sufficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims. Compliance is also worthwhile for organizations that donรขโฌโขt currently work for the DoD since it can open up new business opportunities in the future. Itรขโฌโขs also worth noting that DoD CMMC 2.0 is one of the most comprehensive cybersecurity compliance regimens currently in place, so itรขโฌโขs a great way to establish an organizationรขโฌโขs authority in cybersecurity.
Itรขโฌโขs important to note that the new CMMC 2.0 requirements donรขโฌโขt replace DFARS regulations. In fact, every DoD contractor that deals with CUI still runs the risk of losing their contracts if they do not comply with the minimum security requirements of DFARS.
Making this transition can be overwhelming รขโฌโ but it doesnรขโฌโขt have to be. Thatรขโฌโขs why weรขโฌโขve created this guide to CMMC 2.0; to explain everything you need to know in order to be prepared for CMMC 2.0 compliance.
NOTE: In 2024, everyone will be required to move from CMMC to CMMC 2.0. Ensure you are prepared with our CMMC 2.0 Guide and let us know if we can help talk you through anything!
Editor’s Note: This blog was originally published on March 27, 2023. It was edited for accuracy on July 30, 2023.
{{cta(‘4c54cbeb-6f74-4105-a151-5b92b24c22e2’)}}
