Blog
September 5, 2024

CMMC’s Upcoming Cliff

by Brandon Graves, Partner

News Insights

CMMC began development back in 2019. Final implementation has been just around the corner for almost that long; long enough that many have tuned it out. The end is finally in sight, however, and government contractors may find less help available than they need.

On June 27^th, the Department of Defense finished its review of the CMMC proposed rule, sending it to OIRA as a final review. That means we should see a published rule in October. In addition, NIST just published the latest revision to SP 800-171, which underlies CMMC. This means that some of (many of) the technical requirements changed. The DOD is working to get more companies certified to provide assessments, which is a slow process that has been disrupted by the many changes in the requirements. The federal government is also in the midst of a significant change in overall cybersecurity and supply chain security requirements.

When the final rule is published, expect a lot of noise. Primes are already pushing subs to get certified, and this behavior will increase once solicitations actually include CMMC (sometime in 2025, most likely). Consultants are pushing solutions, many of which are not actually solutions; companies should beware.

What companies will find is that there are not enough properly certified assessment organizations available to meet demand. This is especially true for organizations that are not in a position now to meet CMMC obligations; they will spend months doing remediation, leaving them even less time for an assessment. The DOD’s position is that everyone should already be in position to meet CMMC requirements due to the existing SP 800-171 obligations in the current DFARS, so there will be little consideration of companies not at this standard.

It is almost certain that someone reading this post works for a company that will miss opportunities because they cannot comply with CMMC. Don’t be that company. If you have any questions around what your CMMC obligations are or how best to reach them, please contact us while you still have time to make any adjustments.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

CMMC’s Upcoming Cliff

News Insights

Order could not process, please ensure your credit card information is correct and try again