CMMC 2.0 Timeline: When Will it be Required

HomeBlogBlogCMMC 2.0 Timeline: When Will i...

Business professionals in the military-industrial base have been inquiring about the Cybersecurity Maturity Model Certification (CMMC) for upwards of two years and now is the time to act with urgency.

The federal government decided to pull back the initial CMMC plan, revise it, and develop CMMC 2.0. Like a dark cloud hanging over the contractors and subcontractors, organizations that tap into the U.S. Department of Defense (DoD) revenue stream have been eager to comply. That’s one of the reasons Sedulous Consulting Services was among the first 100 organizations to qualify as a Third-Party Assessment Organization.

Although DoD contractors, supply chain outfits, and managed IT cybersecurity firms have all been stuck in a holding pattern, it appears the DoD is ready to move forward with the long-anticipated CMMC 2.0. The newly minted cybersecurity mandate will task companies with building out technological infrastructure, educating employees about best practices, and maintaining different types of certification.

The goal is to prevent garden variety hackers and advance persistent threats, funded by rival nations, from acquiring Controlled Unclassified Information (CUI) for the purposes of breaching our national security. Organizations that are unprepared or fail to meet the stringent regulatory requirements can expect to find themselves outside the industry, losing profit-driving contracts and subcontracting work.

What Businesses Need to Know About CMMC 2.0 Timeline

The initial CMMC version was put forward in January 2020 and was met with complaints regarding costs, complexity, and confusion regarding assessments and compliance. Small businesses found the mandate particularly challenging because it was difficult for those outside the managed IT cybersecurity industry to determine which level was applicable and how to implement the required controls.

The imminent CMMC 2.0 streamlines the guidelines from five levels to three. But, in all honesty, there are baked-in items that small and mid-sized operations may find frustrating. However, the mandate is here to stay, and your company will be required to meet one of the following three CMMC 2.0 levels.

  • Level 1: The federal government calls this the “Foundational” level and it pertains to companies that store or transmit Federal Contract Information (FCI). Generally applicable to suppliers and service providers, businesses will be required to meet 15 controls. Companies will need to have a cybersecurity assessment conducted annually and file the results for review.
  • Level 2: This “Advanced” cybersecurity standard calls for implementing and maintaining upwards of 110 controls. The advanced cybersecurity directive has been something of a pain point for small and mid-sized organizations. That’s because it treats companies differ in terms of enlisting a Third-Party Assessment Organization, internal reviews, or a combination of both. If there’s a space where companies get tripped up and lose government-driven revenue, this may very well be it. We advise businesses to err on the side of caution, contact a Third-Party Assessment Organization, and protect their livelihood.
  • Level 3: Considered “Expert” cyber hygiene, outfits will need a Third-Party Assessment Organization to review their system, cybersecurity policies, and best practices. An objective analysis will lead to certification or inform stakeholders where deficiencies persist. There are a reported 134 necessary controls embedded in Level 3.

It’s essential to keep in mind that meeting the CMMC 2.0 timeline calls for proactive measures. There are a limited number of certified Third-Party Assessment Organizations and they will be in increasingly higher demand as the rollout moves forward. Putting off scheduling a CMMC 2.0 assessment will likely result in your company landing on a waiting list. Although not visually obvious like the 110 cargo vessels anchored off the California Coast last year or the gas lines after the Colonial Pipeline hack in May 2021, businesses can expect lengthy delays.

CMMC 2.0 Rollout Has Effectively Begun

The federal government concluded its public comment period on Sept. 15, 2022, in compliance with the CMMC Assessment Process. This opens the door to voluntarily having a Third-Party Assessment Organization certify your defenses. Although there was speculation the final CMMC 2.0 version would take up to 24 months, the National Law Review indicates it could be released as soon as the first quarter of 2023.

“If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations as early as May 2023 (60 days after the rules are published). DoD also announced it plans to roll out the CMMC requirements in solicitations under a ‘phased approach.’ In particular, for phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment (rather than have a third-party certification) and provide a positive affirmation of compliance,” the National Law Review reports. “Then, in phase two (with timing still to be determined), solicitations will require either self-assessments or third-party certifications (depending on the type of CUI and required certification level).”

Contact Sedulous Consulting Services For CMMC 2.0 Compliance

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.


CMMC 2.0 vs CMMC 1.0 - Sedulous Cybersecurity