CMMC Program Go Live – What You Need to Know

December 16^th, 2024 marks the official launch of the Cybersecurity Maturity Model Certification (CMMC) program. CMMC provides for the third-party certification of cybersecurity requirements implemented by members of the Defense Industrial Base (DIB), a.k.a. Department of Defense (DoD) contractors and subcontractors. CMMC is a program first conceived of in 2019 that enforces security requirements contractually imposed in 2017, which is to say that, although progress has been unsteady, this has been a long time coming. Read on to learn what this means, and what remains to be done.

Official Program Activities

With the official launch of CMMC, the most salient change is that Level 2 Certification Assessments can commence, allowing members to begin achieving certified status. Although a small number of organizations have undergone provisional Joint Surveillance Voluntary Assessments, the majority of the estimated 80,000 organizations requiring Level 2 certification will be engaging with the limited pool of CMMC Third-Party Assessment Organizations (C3PAOs). The official launch of the program also provides answers to many of the open questions resulting from the considerable latitude granted to the governing body, the Cyber AB. While many of these questions were resolved with the publication of the final rule in October, the remainder, primarily around exactly how a certified assessment will proceed, will be provided through the finalized assessment templates provided by the Cyber AB, which I know that I and others at Tevora are eager to dig into.

Beyond the DIB

In addition to DIB members, who directly hold contracts with the DoD, any External Service Providers (ESPs) and Cloud Service Providers (CSPs) handling controlled unclassified information (CUI) on behalf of DIB members will also be affected. Although ESPs no longer are required to attain Level 2 Certification, doing so can be a market differentiator, and it will simplify the customer assessments where they will otherwise be required to participate in the assessment and demonstrate all controls for which they are responsible for evaluation. CSPs must be FedRAMP Moderate, or equivalent, which the DoD defined “FedRAMP equivalency” as requiring all of the components of a FedRAMP authorization package, including certified assessment by a FedRAMP 3PAO, only lacking the federal sponsor and official authorization by the FedRAMP Project Management Office. For both ESPs and CSPs, you stand at the head of the movement towards certification for the ecosystem, so rapid attainment of certified or equivalent status is even more essential. 

What’s Next?

While the program and certified assessments commence today, there is still one major milestone remaining: publication of the Title 48 CFR rule. For those not knee-deep in the minutiae of CMMC, this is the rule that will place CMMC requirements into contracts in a phased approach. Until then, certified assessments can commence but are not yet contractually required. Despite that, the rule exited the public comment the same day that the final rule establishing the program was published. At a tenth of the length of the program rule, and with repeated recommitments by DoD to its finalization in the first half of 2025, we are confident that the last domino will fall in this prolonged sequence, bringing with it the start of the rollout in 2025, and hard requirements for Level 2 Certification a year later in 2026. Stay tuned to Tevora’s feed to ensure that you remain up to date on the latest CMMC developments. As an RPO, A2LA certified assessor of NIST SP 800-171 controls, and a FedRAMP 3PAO, Tevora is your partner in achieving compliance in advance of your CMMC certified assessment. As a candidate C3PAO, Tevora will soon be qualified to deliver certified assessments for organizations that are more advanced in their security journeys, and achieving this landmark will keep you qualified for all DoD contracts for years to come. Here’s our information.