On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.
DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:
- Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
- Phase 2 begins six months after Phase 1. During Phase 2, DoD will add CMMC Level 2 certification assessment requirements to all applicable contract awards. This means that contractors will need to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. DoD may also include CMMC Level 3 certification assessment requirements in certain contracts at its discretion.
- Phase 3 begins one year after Phase 2. During Phase 3, DoD will extend the CMMC Level 2 certification assessment requirement to applicable contracts that were awarded prior to DoD’s finalization of the CMMC rule. This means that DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment (assuming the CMMC Level 2 requirements are applicable to the contract). In addition, DoD will add CMMC Level 3 certification assessment requirements to all applicable contract awards.
- Phase 4 begins one year after Phase 3 and will mark the full implementation of the CMMC program. During Phase 4, DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on existing contracts.
If, hypothetically, the final CMMC rule becomes effective on December 26, 2024 (one year after DoD released the proposed rule), then Phase 1 would begin on December 26, 2024; Phase 2 would begin on June 26, 2025; Phase 3 would begin on June 26, 2026; and Phase 4 (i.e., full implementation) would begin on June 26, 2027. While two and a half years may seem like a long time, contractors should begin assessing their compliance now, especially if they plan to obtain a third-party certification for CMMC Levels 2 or 3. Contractors who do not meet applicable CMMC requirements could miss out on the opportunity to compete for new contracts or could have their existing DoD contracts end after option periods are not exercised.