DOD plans four-phase roll out of CMMC

Gettyimages.com/ athima tongloom

Find opportunities — and win them.

The Defense Department expects companies will need two years to be fully compliant with this new standard for protecting information on their systems.

One of the biggest questions surrounding the proposed Cybersecurity Maturity Model Certification standard has been how the Defense Department plans to roll out and implement it.

The proposed CMMC rule will dictate how contractors will protect the controlled unclassified information they hold in their systems.

DOD expects it will take two years for companies with existing contracts to become CMMC certified to the appropriate level, according to the proposed rule published Tuesday in the Federal Register. That means contractors will need to go through a third-party assessment process.

DOD plans a four-phase implementation for rolling out CMMC in solicitations and contracts.

  • Phase one is the effective date of the final CMMC rule. Contractors will have planned and prepared for an assessment.
  • Phase two begins six months after phase one. Either a self-assessment or third-party assessment needs to completed.
  • Phase three begins one year after phase two. Contractors will have to report their assessment results.
  • Phase four is the full implementation and happens one year after the start of phase three. This means completing any open Plan of Action and Milestones identified in the assessment. This applies to companies trying to attain Level 3, the highest CMMC certification.

DOD expects levels one, two and three of CMMC to be required in all contracts from Oct. 1, 2026 and on.

The department will not conduct a pilot program as part of the roll out of CMMC. Instead, when the rule is final, self-assessments (basically level one) will be required when warranted by CUI and Federal Contract Information requirements.

That is not completely new because the CUI self-assessment has been a requirement since September 2020. The difference between CUI and FCI is very subtle, but my understanding is that FCI is non-public information generated by contractors as they support the government. On the other hand, CUI is information the government shares with contractors as part of the work process.

While implementation is phased, DOD is leaving it to the discretion of their program managers to include CMMC requirements earlier than what is stated.

There is no plan to issue a list of contracts that will have CMMC requirements. Instead, contractors need to watch individual solicitations that will specify the CMMC level needed for that contract.

Comments on the proposed final rule are due Feb. 26.