It’s the question many businesses and contractors want answered — is CMMC required now?
This is critical information for any entity who works with or is pursuing work for the U.S. Department of Defense (DoD).
Currently, CMMC, or the Cybersecurity Maturity Model Certification program, is indeed required for organizations that do business with the DoD. With compliance for SaaS becoming increasingly important for government entities and businesses of all sizes, the CMMC 2.0 timeline has been advanced in response to industry requests for an updated and enhanced program. On Oct. 15, 2024, the U.S. Department of Defense shared the CMMC final rule, which verifies that defense contractors comply with protections for federal contract information and controlled unclassified information to bolster ongoing protections for cybersecurity threats.
Ultimately, the CMMC is designed to safeguard sensitive information, thwart ongoing threats, and support public trust while ensuring DoD contractors and subcontractors meet essential cybersecurity requirements.
What Is the Current Status of CMMC?
The U.S. Department of Defense launched the CMMC program in 2019 as a stronger line of protection for the defense industrial base against growing cybersecurity threats and attacks. The revised model, to be implemented in the near future, includes the following:
- A tiered model with three levels: Cybersecurity standards advance from the first level to the third, based on “type and sensitivity of the information.” The original model had five levels, which have been streamlined for efficiency and clarity. The DoD offers resources for each level.
- An assessment requirement: The DoD can verify that cybersecurity standards are in place via CMMC assessments.
- Phased implementation: Requirements will be implemented over a three-year period and contractors must achieve specific CMMC levels per their contract.
While comments on the revised CMMC have closed, Congress could choose to block the rule under the Congressional Review Act.
Nevertheless, here is a potential timeline for CMMC’s certification structure published by the U.S. Small Business Administration Office of Advocacy:
- March 1, 2025: Levels 1 and 2 of the structure will be required
- March 1, 2028: Level 3 will be required at this final stage, with all DoD contracts having CMMC requirements in place
As of now, the date when CMMC 2.0 rulemaking will be completed remains a question without a definitive answer.
Has CMMC Been Finalized?
The CMMC final rule was published in the Federal Register on Oct. 15, 2024. It will take effect when the U.S. Code is amended with a Title 48 Code of Federal Regulations rule. The scheduled CMMC implementation date will be 60 days after the final Title 48 rule is published.
The Chief Information Officer at the DoD has a FAQ site that shares key updates on CMMC.
Is CMMC Only for DoD?
While the CMMC was designed specifically for the U.S. Department of Defense, the model’s champion has said that other federal agencies are also considering CMMC implementation. Regardless of the CMMC timeline, it is clearly a strong set of security standards designed to ensure both accountability and resilience to cyber threats and could be applicable to numerous agencies and businesses.
What Companies Need CMMC Compliance?
The Cybersecurity Maturity Model Certification program is a strong form of CMMC compliance designed for any company, contractor, or subcontractor that will “process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on unclassified contractor information system.” CMMC compliance is a must for companies working with the DoD while broader SaaS compliance is critical for businesses and organizations across industries.
There are limited exemptions for contracts exclusively for commercially available off-the-shelf items or for those below the DoD’s micro-purchase threshold of $10,000.
Upgrade Your Cybersecurity Posture With Trava Security
CMMC compliance and SaaS compliance are hot topics for a reason: Data privacy matters now more than ever. Cybersecurity attacks and challenges are more prevalent than ever. Cybersecurity and compliance are needed now more than ever. Fortunately, there are also more resources for small- and medium-sized businesses looking to enhance or manage both new and existing cybersecurity programs and initiatives.
Trava Security offers elite compliance and cybersecurity services designed for growth companies, including compliance as a service, compliance readiness, penetration testing, cybersecurity due diligence, vulnerability assessments, and more. Whether you are looking to contract with the U.S. Department of Defense or simply want to upgrade your cybersecurity and compliance programs and services, we can help you achieve compliance and certification.
Book an intro call today to discover how compliance and cybersecurity can support greater growth and success for your entire business.