Blog
The Final CMMC 2.0 Rule is Here: What Does that Mean for You?
The announcement came from the Department of Defense (DoD) just before the holiday weekend. On October 15, the Department of Defense (DoD) made the long-awaited announcement and publication of the final rule that comprises the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework to the world. With that, CMMC 2.0 becomes a reality that Defense Industrial Base (DIB) organizations will have to implement and follow in 2025.
Fortunately, we at Exostar are experts in CMMC, cybersecurity, and helping companies get through the complex and time-consuming assessment process more effectively and efficiently. As such, let’s review the history of CMMC, and what it all means for your business.
A Brief History of CMMC
While it’s impossible in a blog article like this to go into detail about how the CMMC came to be, since the rules and regulations changed by increments and were hundreds of pages long, we can take a high-level view of how we got here.
- Early 2000s: The U.S. government enacts FISMA and the Cybersecurity Research and Development Act to improve federal cybersecurity, recognizing risks from contractors.
- 2010: Executive Order 13556 establishes standards for handling Controlled Unclassified Information (CUI) across federal agencies.
- 2011: DFARS 7000 introduces rules to safeguard CUI, especially in defense-related research.
- 2016: DoD directs use of NIST SP 800-171 to provide cybersecurity guidelines for protecting CUI.
- 2017: DFARS 7012 requires defense contractors to self-attest to compliance with NIST SP 800-171.
- 2019: DoD introduces CMMC to transition from self-attestation to third-party certification.
- 2020: CMMC 1.0 is launched as a five-level framework for assessing cybersecurity practices in the DIB.
- 2021: CMMC 2.0 is announced, simplifying the framework to three levels and aligning with NIST SP 800-171.
- 2023: The CMMC Proposed Rule is published on December 26, marking a key step toward implementation.
- 2024: 32 CFR goes live on December 15, making CMMC accreditation mandatory for defense contractors.
- 2025: 48 CFR is finalized in early 2025, enforcing CMMC requirements in DoD contract solicitations.
- 2025-2028: CMMC compliance phases into all new and renewed DoD contracts, fully integrating by 2028.
Starting in the early 2000s, the U.S. government understood that their dealings with contractors and sub-contractors posed a potential security risk, particularly when it came to the Department of Defense. The world was turning more and more to cloud-based methodology for file storage and collaboration, and the risks were too great. Thus, the Federal Information Security Management Act (FISMA) was created and then compelled every federal agency to create, develop, and implement programs to ensure information security.
Also, that same year came the 2002 Cybersecurity Research and Development Act for two government agencies (National Science Foundation, Secretary of Commerce and National Institute of Standards and Technology) to create the rules to increase security. Their work set the foundation for what would become CMMC.
Over the next several years, the government released requirements such as FIPS 199, FIPS 200, and NIST Special Publications 800–53, 800–59, and 800–6. Then NIST Special Publications 800–37, 800–39, 800–171, 800-53A. All of which attempted to clarify and add security to the frameworks.
Then in 2010 Executive Order 13556 addressed Controlled Unclassified Information (CUI) to create a labeling standard across the government. In 2011, the Defense Federal Acquisition Regulation Supplement (DFARS) created rule 7000 to bring to life requirements for safeguarding CUI, specifically those related to fundamental research.
DFARS published additional rules between 2011 and 2019, but the real framework we know today originated in 2019. The DoD finally created the CMMC, to move away from self-attestation to third-party attestation.
From that point forward, more tweaks and additions were made to the CMMC to try to simplify and streamline things, until November of 2021, when the DoD announced the release of CMMC 2.0, which was designed to truly streamline the process. It has taken until now, for the DoD to agree on all of the rules involved until October of 2024, when the final one was put in place.
What Does the Final Rule Mean for Your Business?
First and foremost, it means that CMMC 2.0 is a reality, and that time is running out to ensure your business meets the cybersecurity standards required in order to qualify for DoD contracts in 2025.
Therefore, it behooves DIB organizations to prepare now. The entire process can take 6 months or more just to prepare for the assessment, and then additional time to find a third party to do the assessment. There are only a limited number of these third-party organizations, and they will likely be backed up pretty quickly.
During this time, those companies that do get their assessments are going to be under strict DoD review and scrutiny. They will be looking at SPRS scores more closely than ever. Plus, each self-attestation must be accompanied by a sworn affidavit from the company’s CEO or other C-level exec, which puts individuals in harm’s way in addition to the company itself. Misrepresenting compliance can lead to fines and loss of DoD contracts.
Understanding the Key CMMC Rules: 32 CFR and 48 CFR Explained and Their Timeline for Implementation
CMMC implementation involves two rules—32 CFR and 48 CFR—which serve different purposes but work together to bring the framework into full effect. The 32 CFR rule defines the CMMC program and was published on October 16, 2024. It’s expected to become official by December 16, 2024, after a 60-day review period for Congress or the President.
Meanwhile, 48 CFR, which updates the DFARS to enforce CMMC fully, has just completed its comment period. The DoD will review the feedback and submit the final rule for approval. Once published, 48 CFR will face a similar 60-day waiting period and is anticipated to go live by Q2 2025. At that point, CMMC requirements will begin appearing in DoD contracts. This phased rollout gives businesses time to prepare. Still, starting now is essential, as the assessment process can be time-consuming and resource intensive.
Conclusion: Now Is the Time to Get CMMC 2.0 Compliant
The announcement of the final rule being put into place does not mean everything changes overnight. However, it does mean that any DIB organization that is not already in compliance needs to be. For years, it was all up to self-attestation, but that is not the case anymore.
Fortunately, Exostar’s CMMC Read Suite is a complete solution that helps streamline the process. Right out of the box, thanks to Managed Microsoft 365, businesses meet 85 out of the 100 NIST SP 800-171 controls. The entire suite is there to help you become compliant, so you can focus on earning more DoD contracts, and not on the regulations.
If you’re interested, contact one of our experts and set up a demo today.