If you’re a contractor, subcontractor, supplier, or manufacturer working with the Department of Defense (DoD) you’ve heard of the Cybersecurity Maturity Model Certification (CMMC). This compliance certification is essential for ensuring that businesses in the DoD supply chain protect controlled unclassified information (CUI) and can continue to win contracts. With changes to CMMC still evolving, it’s vital to understand where the timeline stands and how you can prepare for certification.
In this blog, we’ll break down where businesses should be as of Q4 2024, what to expect from the upcoming CMMC updates, and the steps you need to take to ensure your business is on the right path toward certification.
How The CMMC Timeline Looks (As of September 2024)
Final Ruling for 32 CFR CMMC – Expected October 2024
The next major milestone for CMMC implementation is the publication of the final ruling for 32 CFR CMMC. This ruling, expected by October 2024, will make certification assessments available to businesses and will outline the process of assessment, including any permitted temporary deficiencies and the submission of a very limited Plan of Action and Milestones (POAMs) to rectify these.
The 32 CFR ruling will make the CMMC framework official, but the guidelines won’t be enforceable just yet. SMBs will enter a transition period, where you can focus on aligning your processes and security measures with the required standards before they become mandatory.
Final Ruling for 48 CFR CMMC – Expected in Q4 2025
The final ruling for 48 CFR CMMC—the last puzzle piece that allows CMMC to be fully put into effect—is predicted to be published during late 2025. This update will include specific CMMC requirements for the three levels of certification, which contractors and subcontractors will need to meet to participate in DoD solicitations.
It’s worth noting that these dates are currently general predictions, based on expected public comment periods, rule adjustments, and regulatory reviews.
What does this mean for DoD subcontractors in Virginia and other regions? Although the CMMC framework will become “real” once the 32 CFR ruling is published, the specific certification levels that DoD contracts require won’t appear in solicitations until the 48 CFR update is in place.
Businesses that use this closing window to position themselves competitively to bid for contracts when CMMC certification becomes a formal requirement. By getting ahead of the curve with CMMC implementation, you’ll be ready to act when the time comes, giving your company an edge over those who wait until the last minute.
How to Prepare for CMMC Certification
For many companies, preparing for CMMC will be a process that takes, on average, 12 to 18 months. This is especially true if your business requires Level 2 certification, the first level that mandates an external assessment from a Certified Third-Party Assessment Organization (C3PAO).
There are a few key aspects of preparation you’ll need to consider, including:
- Understanding the Requirements
If your business handles CUI, achieving Level 2 certification is required to remain in compliance. However, achieving compliance is no small task. The process involves scoping your environment, evaluating your current cybersecurity and compliance posture, and identifying any gaps that need to be addressed to meet the certification requirements.
CMMC Level 2 certification focuses on protecting CUI and aligning your cybersecurity with NIST SP 800-171 standards—which many contractors will have needed to be compliant with since 2017. This includes controls that cover everything from access control to incident response and system security.
It’s also important to understand which types of CUI (and how much of it) you’ll be handling, as this will influence which level of CMMC you need to adhere to.
- Potential Challenges in CMMC Preparation
One of the biggest challenges you’re likely to face during CMMC implementation is scoping your environment. It’s impossible to determine the tools, the means, and the policies and procedures you need to implement if you can’t identify the in-scope systems and the flow of CUI throughout your entire environment. Furthermore, limiting that flow as much as possible can go a long way to save money and time.
Partnering with an IT service provider that specializes in compliance can help you get answers to those questions and more. If you’re a government contractor in Virginia, having expert guidance can streamline your certification process and help you avoid losing out on lucrative business opportunities.
Next Steps for DoD Subcontractors in Virginia
Business preparedness for CMMC will be the deciding factor between those that power ahead and those that fall behind in the DoD supplier space. Get started by:
- Determining What CMMC Level You’ll Need to Meet
The first step is to figure out which level of CMMC certification your business requires. Once fully rolled out, CMMC will consist of three levels, with Level 2 being required for the handling of CUI.
- Conducting a Gap Assessment
A gap assessment is a crucial step in identifying where your cybersecurity practices fall short of CMMC requirements. Once you’ve determined the appropriate certification level, your IT team or a qualified external support provider can help you map out the gaps and create a roadmap to close them.
This is particularly important for CMMC for SMBs, as smaller businesses often lack the in-house resources to manage compliance efforts. Working with an experienced service provider will give you the guidance and technical expertise needed to achieve certification while making the process more approachable.
- Prioritize Identifying Information Systems, Data Flow, and Data Types.
When preparing for certification, focus on addressing data flows first. Depending on your role in the DoD supply chain, you may not need to implement every CMMC control across your entire enterprise. Lots of government contractors can leverage the understanding of types of data and how it flows to deploy specific IT ‘enclaves’, which can help reduce both the cost and time associated with certification.
- Develop a Timeline for Implementation
Finally, it’s important to set realistic goals for CMMC implementation. Since the length of the certification process is unique to each contractor, creating a detailed timeline that outlines when each task should be completed is a must for staying on track, getting ready to call for a third-party assessment (if required), and minimizing disruption to your team.
By focusing your efforts now, your business will be well-prepared for CMMC certification, allowing you to continue working with the DoD and maintain an edge in the market.
The Time to Prepare is Now
Many contractors we work with and speak to have an unrealistic timeline expectation. As of September 2024, the timeline for CMMC certification is moving forward, with the first major milestones expected by October 2024 and additional updates arriving in 2025. For businesses in the DoD supply chain, now is the time to start preparing for CMMC implementation. Whether you’re a contractor, supplier, or one of the many DoD subcontractors in Virginia, being proactive will put your business in the best position to succeed when CMMC becomes a requirement.
Infinity Technologies: North Virginia’s Premier Managed IT, Cybersecurity, and IT Support Partners
At Infinity Technologies, we specialize in providing IT and cybersecurity solutions that cover all bases—from support and ongoing assessments to threat management, response, and recovery—to SMBs in Charlottesville, VA, and beyond. Our services are designed to keep your business safe, secure, and operational, no matter the cyber threats you face.
Curious to see the difference that we can make for your SMB? Contact us today to learn how our IT support and cybersecurity solutions can provide the robust protection your business deserves.