CMMC 2.0 Timeline

Publication date: Jun 02, 2022

Last Published: Jun 22, 2023

Table of Contents
Read Time : 8 minutes

June 22, 2023 Update on CMMC

OSIbeyond’s Cybersecurity team have been diligently monitoring the latest CMMC development ever since the DoD announced the suspension of CMMC 1.0 and the release of CMMC 2.0. We have compiled a timeline of the most recent developments to bring you up to speed with where the CMMC program currently resides.

Contact us at the end with any questions. Stay up to date by joining our newsletter for our future updates on CMMC 2.0.

Subscribe to CMMC Newsletter

* indicates required

Updated Timeline for Cybersecurity Maturity Model Certification (CMMC)

  • October 2024 (expected)
    • Rulemaking concludes, CMMC 2.0 certification requirements will start to be included in future DoD contracts (exact schedule TBD pending completion of OMB review).
  • September 2023 (expected)
    • CMMC 2.0 final rule will be released for public review and comment.
    • DoD will finalize the rule within 12 months.
    • Based on the original DFARS 7019/7020 “SPRS Score” rollout, Primes will be rapidly requesting self-attestations of compliance from subcontractors to identify those that require replacement due to inability to meet CMMC requirements.
    • Widespread industry concern has continued to grow over the assessment of third-party service providers used by DIB contractors, including MSPs and MSSPs. DOD has stated that this will be addressed as part of the CMMC rulemaking process.
  • June 2023
    • The Office of Information & Regulatory Affairs (OIRA) releases the Spring 2023 Unified Agenda, confirming the Notice of Proposed Rulemaking (NPRM) for the CMMC rules (Parts 32 and 48 of the Code of Federal Regulations) are now expected in September 2023.
      • There are currently 44 authorized C3PAO’s, but DOD has not given final approval and necessary access to permit CMMC assessments to begin.
      • Additionally, the CMMC Assessment Process (CAP) has not been finalized.  This C3PAO count does not align well with the 80,000 to 300,000 companies that may require assessment. However, a very small percentage of the DIB is ready to be formally assessed.
  • May 2023
    • The Deputy CIO for Cybersecurity at the Defense Department (DoD) David McKeown said that the CMMC rule making is progressing and that they are targeting late fall of next year for CMMC to start to be put into contracts.
  • January 2023
    • A new “Interim Rule” OR “Final Rule – Notice of Proposed Rule Making” to implement CMMC is expected to be published for public comment sometime in Spring 2023.
      • An Interim rule:
        • Is unlikely to be changed based on public comment.
        • would likely go into effect 60 days after being published for comment – June-July 2023.
        • May appear in contracts starting FY 2024.
      • A final rule:
        • Requires a lengthy public comment process.
        • Would go into effect Summer of 2024, and appear in contracts beginning FY 2025.
      • DOD strongly prefers an interim rule to allow for a more rapid rollout of CMMC.
  • August 2022
    • NIST invites public comments for changes to NIST SP 800-171 in Revision 3.
    • “Joint Surveillance Program” DIBCAC/C3PAO assessments may begin, using the DIBCAC assessment process.
    • An initial draft version of the CMMC Assessment Process (CAP) is released for 30-day public comment period, ending on 9/15/22.
      • Voluntary C3PAO certification assessments for early adopters cannot begin until the CAP is finalized. We anticipate this will take place when rulemaking is completed.
      • The draft CAP, as released, is not viable for assessments and needs significant re-work.
  • May 2022
    • After the walk back of bifurcation & self-assessment, there remain glaring issues with the scale of the assessment ecosystem (C3PAO’s and Assessors).
    • At an industry event, Stacy Bostjanick (Chief of Information and Policy, Office of the DOD CIO) provided some more info on rollout/rulemaking.
      • To address the C3PAO capacity concern, it appears that when the new CMMC rule goes into effect, all contractors will be required to self-assess on new contracts effective immediately, with third party assessments ramping over time.
    • The new self-assessment will be very different to the current SPRS self-assessment. Details are not final, but our expectation is that:
      • Attestation must be by a C level or other executive in the organization.
      • Attestation will be that the company is 100% compliant with CMMC.
      • 180 Day POAM for items that have a 1 or 3 point 800-171 DODAM score will be permitted.
      • No 5-point items may be in POAM.
      • DOD is aware of the possibility that companies will not follow up on their POAM’s.
        • KO’s will be able to use their enforcement toolset (withholding of payment, stop work orders etc.) if timeline is not met.
        • Details are murky but it seems like the SPRS system will be used for this. Instead of a simple score they will ask more detailed questions. Requiring contractors to provide a list of un-met requirements with planned date of implementation would make sense.
      • Attestation will have to be made on an annual basis.
    • Contractors should think carefully about the implications of attesting 100% compliance through SPRS and then later being unable to successfully complete a C3PAO or DIBCAC assessment.
  • February 2022
    • DOD CISO David McKeown stated in a town hall webinar that when DOD began to look at the bifurcation of contracts in more detail, it was difficult to see how any contractor with a multiple contract portfolio could self-assess, so it was likely all contractors would need to be third party assessed at Level 2/CUI. This statement effectively nullified the existing expectation that a significant percentage of contractors in possession of CUI would be able to self-assess for CMMC 2.0 Level 2.
  • November 2021
    • CMMC 2.0 model is introduced and is streamlined to three versus five levels.
      • Eliminates CMMC 1.0 Levels 2 and 4: Developed as transition levels and were never intended to be assessed against.
      • Retains three levels, directly linked to specific data types & existing regulations:
        • Level 1 – for companies with FCI only that must protect it per FAR 52.204-21; this information requires protection but is not critical to national security.
        • Level 2 – for companies with CUI covered by the existing DFARS 252.204-7012/7019/7020 requirements.
        • Level 3 – for programs involving the most sensitive CUI, expected to be a very small subset of contractors.
      • Provides allowance for temporary, limited POAM items, and an even more limited option for potential waiver of requirements.
    • Requirements are near replicas of those in NIST SP 800-171 and NIST SP 800-172
      • Eliminates all CMMC unique practices and maturity processes. However, the removal of these should not be taken to mean that the level of documentation required to support compliance has been meaningfully reduced!
      • Level 3 will use a subset of NIST SP 800-172 requirements.
    • Introduction of bifurcation at Level 2/CUI:
      • The intent was to have more critical/prioritized acquisitions require third party assessment, while all others may do a self-assessment. 
      • The criteria to decide how contracts may be bifurcated does not exist publicly, appears to be up to the discretion of DOD on a per-contract basis.

CMMC Unanswered Questions

There are however significant unanswered questions that remain, particularly around how to manage assessment of contractors that work with cloud-based security tools, Managed Services Providers (MSPs), Managed Security Services providers (MSSPs) and other cloud hosted systems that may store or impact CUI. We expect many of these questions to only be resolved once rulemaking is complete and assessments begin and set precedent for how a given situation is to be handled.  The C3PAO Stakeholder Forum (Positions – C3PAO Stakeholder Forum ( has published material addressing some of these questions.  

In addition, contractors with international locations may have data protection, export and sovereignty requirements that conflict with each other. C3PAO’s will become aware of these situations during assessment and additional guidance is required from the DOD on how they are to be managed.

Download our CMMC eBook for more information on certification!

CMMC eBook

DoD Contractors Guide to CMMC Certification.

What Should Contractors Do Right Now?

Contractors should expect to see a CMMC requirement for new direct DOD business starting either FY 2024 or FY 2025. Contractors should also expect pressure to comply with CMMC from their prime contractors beginning in late 2023.  It can take 6-12 months or longer for an organization to become compliant, depending on size, complexity, and available resources. An organization may also be dependent on the compliance of its third-party service providers including MSPs and MSSPs, before the organization itself may become compliant. This adds to the timeline for the contractor and presents a significant risk to the overall compliance program if the third-party provider is unable to become compliant in time or instead chooses to exit the DIB sector altogether.

We are now possibly less than 12 months from rulemaking finalization and the resulting action from prime contractors to verify the compliance of their supply chain (subcontractors). While some aspects of how CMMC will be implemented are still unknown, the actual requirements are set (NIST SP 800-171), have been largely unchanged since 2017 (DFARS 252.204-7012), and are not going to be reduced prior to the CMMC program launch. If anything, they will be increased when NIST SP 800-171 Rev3 is released.

Waiting until the end of this year, or until rulemaking is complete to begin serious work towards implementing NIST 800-171 will likely result in a contractor becoming less attractive to prime contractors as soon as 2023, and ineligible for contract awards in 2024.

It is our professional recommendation that contractors who currently do business with the DoD begin aligning their environment with NIST 800-171 now, to be ready when the requirements are added to new contracts. Organizations who fail to be prepared risk losing contracts or being at a competitive disadvantage when bidding on new business.

Need Help Getting Started?

OSIbeyond’s Cybersecurity Compliance team is ready to assist your organization in becoming CMMC 2.0 compliant. Our process starts with a Risk Assessment against NIST 800-171 to identify the gaps in your environment along with a System Security Plan (SSP) and Plan of Actions and Milestones (POAM).

Contact us today to discuss how we can help your organization prepare for CMMC 2.0.

Related Posts: