When Does CMMC 2.0 Take Effect?

When Does CMMC 2.0 Take Effect?

What Does the Change to CMMC 2.0 Mean for Your Company? For one thing, it means that the time to begin preparing is now. Any business that contracts with the DoD or subcontracts with a business that sells to the DoD must achieve compliance.

The DoD has stated that CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. Since the announcement of CMMC 2.0 in November of 2021, the DoD has since maintained that the CMMC 2.0 rulemaking process could take anywhere from 9-24 months. According to their website, “the interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)).

In fact, an Inside Cybersecurity article cites DoD Director of CMMC Policy, Stacy Bostjanick, who stated, “We are thinking, hoping, and praying that by next March [2023] we will be approved to get an interim rule. There will be a 60-comment period which will put us at the end of May 2023.” If that timeline holds, contractors have no time to waste.

Further cementing the forward progress, Inside Cybersecurity announced in July 2022 that The Cyber AB is beginning the first official CMMC assessment on August 22, 2022, under the Pentagon’s “joint surveillance voluntary program,” where a certified third-party assessment organization will conduct the examination and report the results to the Defense Contract Management Agency for final approval. These assessments are being led by accredited C3PAOs with supervision from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and will convert into CMMC assessments upon completion of CMMC Rule Making, expected in March 2023.

CMMC 2.0 Timeline  Charles IT Blog

For many organizations, contracts with the DoD make up a significant part of their revenue. If your company is audited by the DoD and found to be non-compliant, you will be given a stop-work order until your company can implement sufficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims. Compliance is also worthwhile for organizations that don’t currently work for the DoD since it can open up new business opportunities in the future. It’s also worth noting that DoD CMMC 2.0 is one of the most comprehensive cybersecurity compliance regimens currently in place, so it’s a great way to establish an organization’s authority in cybersecurity.

It’s important to note that the new CMMC 2.0 requirements don’t replace DFARS regulations. In fact, every DoD contractor that deals with CUI still runs the risk of losing their contracts if they do not comply with the minimum security requirements of DFARS.

Making this transition can be overwhelming – but it doesn’t have to be. That’s why we’ve created this guide to CMMC 2.0; to explain everything you need to know in order to be prepared for CMMC 2.0 compliance.

NOTE: In 2024, everyone will be required to move from CMMC to CMMC 2.0. Ensure you are prepared with our CMMC 2.0 Guide and let us know if we can help talk you through anything!

Editor's Note: This blog was originally published on March 27, 2023. It was edited for accuracy on July 30, 2023. 

Download Our CMMC Compliance Checklist: This checklist will help you determine the right CMMC controls, policies, and procedures to adopt for your organization to achieve CMMC 2.0 Certification.


Most tech consulting starts with “Press 1”

We just like to start with “Hello.”