CMMC in the Near-Term

CMMC will not be required for all contractors immediately and will be phased in for certain DoD-identified contractors beginning in September 2020. When fully operational, the CMMC will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the five CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial Award, or continuance, of a DoD contract will be dependent upon CMMC compliance. No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal they must be CMMC compliant.

In January 2020 the CMMC will release a checklist for contractors which will allow them to identify how well they currently comply with the framework, and to assist with planning and implementing security maturity tasks. The CMMC will be included as a component of Requests for Information (RFIs) in mid-2020 and is expected to be included in Requests for Proposal (RFPs) by late 2020. The required CMMC compliance level will be contained in sections L & M of RFPs, making cybersecurity an “allowable cost” in DoD contracts.

CMMC will combine elements of various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for CUI cybersecurity.

CMMC Timeline

• May 2019: Version 0.1
• July 2019: Version 0.2 identified and reviewed
• September 2019: Version 0.4 released
• October 2019: CMMC implemented requirements released
• November 2019: Version 0.6 to be released for public review
• January 2020: Version 1.0 finalization expected; compliance checklist released
• June 2020: CMMC will begin appearing in RFIs
• September 2020: CMMC Will Begin Appearing in RFPs

Link to CMMC latest documentation