Approaching execution of CMMC journey
As the Cyber AB gears up for the impending contract requirements, set to launch later this year, the Defense Industrial Base (DIB) is preparing for a significant shift in cybersecurity standards. The Cyber AB, tasked with overseeing the training and certification of CMMC assessors, has already accredited 455 CCAs, including 300 "lead CCAs".
The Timeline for CMMC Requirements
The implementation timeline for the Cybersecurity Maturity Model Certification (CMMC) requirements for defense contractors is as follows:
- The CMMC Final Rule was published on October 15, 2024, and took effect on December 16, 2024.
- Early 2025: CMMC requirements started appearing in Department of Defense (DoD) contracts.
- May 1, 2025: CMMC was codified in DFARS Title 48 regulations, reinforcing contract requirements.
- October 1, 2025: Nearly all new DoD contracts will require CMMC certification, with a phased rollout continuing until 2028.
- October 1, 2026: Deadline for mandatory compliance for all Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and others doing business with the DoD.
The phased rollout means contractors should prepare now due to a typical 12- to 18-month implementation period. Supply chain verification and prime contractors are responsible for verifying subcontractor compliance before contract awards.
The Need for CMMC Assessors
With over 80,000 defense contractors requiring compliance, and the vast majority (about 95%) of organizations handling Controlled Unclassified Information (CUI) needing third-party assessments, there is a substantial demand for trained and certified CMMC assessors. Given the volume and a known assessment backlog of 3-6 months, estimates suggest thousands of certified assessors will be required in the coming years to manage the phased rollout across the Defense Industrial Base.
The Future of the CMMC Program
Matthew Travis, chief executive of the Cyber AB, has stated that the CMMC program is the most ambitious cybersecurity conformity regime ever attempted due to the vast size of the defense industrial base and the numerous security requirements involved in attaining CMMC certification. The phased implementation strategy of the CMMC program was outlined in the DoD program rule last year.
The CMMC acquisition rule is expected to be published and go into effect sometime this fall. The Defense Department submitted the final Cybersecurity Maturity Model Certification (CMMC) acquisition rule to the White House Office of Information and Regulatory Affairs on July 22. The department is aiming for a three-year phased implementation plan to reach full capacity and maturity of the CMMC program.
A one-day virtual event named Workforce Reimagined, focused on building a federal workforce that's skilled, resilient, and ready to meet evolving mission demands, will be held on August 26. The DoD is also piloting a shared service approach with cloud service providers and managed service providers to ease the compliance bar.
Travis also mentioned that there hasn't been a clear economic incentive to get certified as a CCA until recently, due to the uncertain timing of the CMMC requirements. Approximately 2-3,000 CCAs are needed to fully scale the CMMC program. The CMMC program has been in development at DoD since 2019, aiming to verify that defense contractors are meeting cyber standards for protecting controlled unclassified information.
[1] Source [2] Source [3] Source [4] Source [5] Source
- In order to meet the increasing demand for CMMC certification as the rollout of requirements continues, the federal workforce will need to be reimagined, particularly in terms of the workforce tasked with assessing and training defense contractors in cybersecurity, as thousands of certified CMMC assessors will be required over the coming years.
- With the Defense Department aiming for a three-year phased implementation plan to reach full capacity and maturity of the CMMC program, it is crucial that the federal workforce, including those involved in technology and cybersecurity, are prepared to implement and adhere to the new cybersecurity standards, especially given the ambitious nature of the CMMC program and the vast size of the defense industrial base.
