January 3, 2024
It's here! The proposed CMMC rule was published on Dec 26
What a way to ring in the new year, eh? The text of the rule actually became public on Friday, December 22, the weekend before Christmas. I held off on this update until after the holidays.
There's an awful lot to unpack in this proposed rule, but I'll focus on just two things in this update: Timeline and Next Steps.
Timeline
While DoD has committed to a phased implementation, it's actually coming faster than I expected:
"DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations issued on or after October 1, 2026."
Everything kicks off when the proposed rule becomes effective, which most people say will be late 2024 or early 2025. So let's arbitrarily take April 1, 2025 as the date for our calculations. This table summarizes the phased implementation, with more detail below:
| April 1, 2025 | ALL DoD contracts will require self-assessment and affirmation for both L1 and L2 at the time of award |
| October 1, 2025 | Official L2 certification required for new contracts |
| October 1, 2026 | Official L2 certification required to exercise options on contracts awarded prior to effective date of the rule Official L3 certification required for new contracts |
| October 1, 2027 | Official L2 and L3 certifications required for all options on all contracts |
Quoting from § 170.3 Applicability:
(1) Phase 1. Begins on the effective date of the CMMC revision to DFARS 252.204-7021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award.
So no later than April 1, 2025, the self-assessment and affirmation requirements will kick in for ALL contracts. Self-assessment isn't being phased in, only certification. So what exactly are those self-assessment and affirmation requirements?
For L1, the contractor ("OSA") "must complete and achieve a MET result for all security requirements specified in [FAR 52.204-21 "The Basic Safeguarding Rule"]. No POA&Ms are permitted for CMMC Level 1." And "The CMMC Level 1 Self-Assessment must be performed using the objectives defined in NIST SP 800-171A ... " Once the self-assessment has been completed, the "senior official who is responsible for ensuring OSA compliance with CMMC Program requirements" must personally affirm in SPRS that the organization has met all requirements. This must be done at least annually (and after any significant changes to the CMMC scope). What happens if you don't do this?
a revocation of the validity status of the CMMC Level 1 Self-Assessment may occur. At that time, standard contractual remedies will apply and the OSA will be ineligible for additional awards ... until such time as a valid CMMC Level 1 Self-Assessment is achieved.
An organization that handles CUI will have to meet the L1 self-assessment and affirmation requirements, as well as the L2 self-assessment and affirmation requirements. Note that extremely limited POAMs may be permitted in the L2 self-assessment under certain conditions (the overall self-assessment score must be at least 88, only one-pointers are eligible for POAM, no L1 requirements are eligible for POAM). POAMs for L2 self-assessments must be closed within 180 days, with an updated self-assessment and affirmation recorded in SPRS.
(2) Phase 2. Begins six months following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include CMMC Level 2 Certification Assessment all for applicable DoD solicitations and contracts as a condition of contract award.
Based on our 04-01-2025 effective date for CMMC, October 1, 2025 marks the start of inclusion of official certifications for L2 for all contracts. If you handle CUI, this is your drop-dead date for being officially certified for new contracts (not just self-certified as compliant).
(3) Phase 3. Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date. DoD intends to include CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award.
Following this schedule, October 1, 2026 marks the date that official certification will be required to exercise options on contracts that were awarded prior to April 1, 2025.
(4) Phase 4, Full Implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
October 1, 2027 marks the date that no contract options can be exercised without official certification at the required level.
Next Steps
What is the most likely scenario that will accelerate this timetable even further? Big Primes flowing down the CMMC clauses. Based on experience to date, they aren't going to wait on this. Subs need to be prepared.
In addition to taking the necessary steps to become compliant, you need to start preparing your primes for the increase in your rates. Allison Giddens, President of Win-Tech, Inc., a small DoD subcontractor and strong advocate for SMBs in the DIB, recently wrote a very useful article on LinkedIn, SMBs: Refresh your rates and plan for the expensive road ahead that I find very insightful, and I highly recommend you read. She has provided the text of a supplemental letter she has started sending with quote submittals, to put the primes on notice that CMMC will be increasing her overhead and thus her rates. You know how the DoD always says "talk to your customer"? Well, it's time to begin that conversation.
Need help? You know where to find me!
Want more information? Check out my upcoming virtual CMMC workshops: | |
 Wednesday, February 28, 2024 |
Tuesday, March 5, 2024 |
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!