×

The CMMC Rule is Final & Posted by the DoD

ByDatanomix Team

Here’s a concise overview of the recent developments regarding the Cybersecurity Maturity Model Certification (CMMC) Program.


Welp, it’s official…defense contractors should start preparing for the CMMC requirements to ensure compliance and maintain eligibility for DoD contracts. Proactive steps include reviewing current contracts to determine the required CMMC level, implementing necessary cybersecurity controls, and planning for the appropriate assessments.

If you aren’t familiar with CMMC, you can check out our last blog, How Manufacturers Can Get Secure and Avoid Government Risk with CMMC Compliance, where we outline what it is, why you’ll have to do it, why you should work with a cybersecurity consultant and the tools for compliance.

Final Rule Publication and Effective Date:

  • The U.S. Department of Defense (DoD) published the final rule for CMMC 2.0 on October 15, 2024
  • This rule will become effective on December 16, 2024.
Learn More

The CMMC 2.0 Framework Levels:

  • Level 1 (Foundational): Focuses on 15 basic cyber hygiene practices for handling Federal Contract Information (FCI). Organizations are required to conduct annual self-assessments.
  • Level 2 (Advanced): Aligns with the 110 controls outlined in NIST SP 800-171 to protect Controlled Unclassified Information (CUI). Depending on the contract, this may require self-assessment or third-party certification every three years.
  • Level 3 (Expert): Designed for the most sensitive contracts, incorporating additional NIST SP 800-172 controls. Requires both third-party certification and government-led assessment every three years.

“The most important thing is to get NIST SP 800.171 compliant,
as this is the foundation of CMMC 2.0 Level 2 Certification.”

— Darren Gallop, CEO & Founder, Carbide Secure (CMMC Registered Practitioner)


In our recent webinar, “How to Streamline CMMC 2.0 Compliance,” we outlined what manufacturers need to be CMMC 2.0 compliant, Including how to budget for it and when. The big takeaway is that CMMC 2.0 is necessary for all organizations in the DoD’s supply chain that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Disclaimer: Level 1 has been updated to 15 controls with the release of the final rule on CMMC 2.0 in October 2024.
© Datanomix & Carbide. All Rights Reserved.


If you’re curious about your software vendors, CMMC 2.0 is necessary for all vendors in the DoD’s supply chain that handle FCI and CUI, whether in the cloud or on-premise. If they do touch CUI, ask them if they comply with the 110 requirements of DFARS 252.204-7012 / NIST SP 800-171 and if they have any third-party certifications like SOC-2, ISO-27001, or FedRAMP (if they sell to any Federal agencies).

Watch the Webinar

The Phased Implementation Timeline:

Phase 1:
Begins on December 16, 2024. Contractors must meet self-assessment requirements for all solicitations and contracts as a condition of award.

Phase 2:
One year after Phase 1 starts, contractors must obtain CMMC certifications for applicable DoD contracts.

Phase 3:
One year following Phase 2, all DoD contracts will require CMMC certification, including Level 3 for relevant contractors.

Phase 4:
One year after Phase 3, the full implementation will enforce CMMC requirements for all contracts, including option periods. 

You can visit the official DoD CMMC program page for more detailed information and resources.

INTRODUCING

Advanced G-Code Management & DNC Platform

The ultimate platform for traceability, compliance, and control so you make it right every time.

Learn More

Similar Posts