Blog Post

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Government Contracts Navigator

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

  • Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.

To read the full post, please visit our Government Contracts Navigator blog.