These recent developments puts the CMMC program on track for approval, bringing government contractors closer to mandatory CMMC compliance.
On August 7, 2024 The Office of Information and Regulatory Affairs (OIRA) finished its review of the 48 CFR proposed CMMC rule. The 48 CFR Parts 204, 212, 217, and 252 proposed CMMC rule is the contract clause that will be added to a defense contractor’s contractual agreement (DFARS 252.204-7021).
On August 15, 2024, CMMC implementation has taken another step forward as the DoD published the highly anticipated 48 CFR rule in the Federal Register. Up next is the 60-day public review and comment period. Comments on the proposed rule should be submitted on or before October 15, 2024.
These recent developments put the CMMC program on track for approval, bringing government contractors closer to mandatory CMMC compliance. The next step is the Final Rules Publication, anticipated towards the end of October 2024. Given the federal election in November, the 118th Congress may not have time to review the Final Rules before it adjourns in December 2024. This would then be the responsibility of the 119th Congress, which is not set to convene until January 2025. Therefore, with the final approval projected for March 2025, this timeline could be at risk.
Why Start the CMMC Readiness Review Now?
There are several reasons why it makes sense to start your CMMC journey now.
- Currently there are only 56 C3PAO’s that are certified to date.
- All new contracts will contain the CMMC requirement.
- New contract awards will have priority for CMMC certification.
- Start preparing now if you are expecting a contract in 2025.
- There are various requirements in NIST SP 800-171 that require that a DIB partner demonstrate that they are "actively" performing specific tasks and steps. Unprepared DIB partners may be caught off guard and fail the certification.
Remember, there are two CMMC rules, each at different stages of rulemaking:
- Title 48 CFR is for the proposing amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate CMMC 2.0 requirements.
- Title 32 CFR for CMMC is the federal regulation that outlines the rules and guidelines for implementing CMMC within the Department of Defense's operations and activities. This regulation has already been published as a proposed rule and gone through the public comment process. It is now with the Office of Information and Regulatory Affairs (OIRA) awaiting finalization and publication.
A Note for Businesses in Foreign Countries Pursuing DoD Contracts:
Application to Foreign Suppliers for CMMC
Comment: Many respondents commented on whether CMMC will apply to foreign suppliers.
Response: If the program office or requiring activity identifies a need to include a CMMC requirement in a contract, it will be included in the solicitation and resulting contract unless the contract is exclusively for COTS items. The proposed rule does not exempt foreign suppliers from CMMC requirements.”
What Makes Spry Squared Different?
- We understand the CMMC landscape. For nearly nine years, Spry Squared has been supporting our clients with federal contracts with NIST SP-800-171 compliance.
- As a comprehensive MSP/MSSP solutions provider, our goal is not to sell you a specific product for your compliance requirements. Instead, we utilize the resources you already have, provide recommendations, and assist in implementing any additional resources needed to fulfill your compliance needs.
- With a wealth of experience and a proven track record of success, Steve Spry, in his role as Vice President and Chief Technology Officer, brings a unique perspective to the table. Not only is he a skilled professional in his field, but he is also a Registered Practitioner.