On December 16, 2024, the CMMC Final Rule officially became law after a 60-day Congressional review. To be precise, the update to 32 CFR (Code of Federal Regulations) was published in October, and after making it through the review process unchanged, it’s now fully in effect.
So what does that mean? Well, I’m glad you asked.
What the Final Rule Means
The Final Rule officially establishes CMMC as law and sets up the system as it currently exists. Defense contractors will now need to either pass an appropriate audit or self-certify if they process, store, or transmit Controlled Unclassified Information (CUI). The standards for Level 1 organizations with Federal Contract Information (FCI), as well as Levels 2 and above handling CUI, are now defined.
The framework for assessments and the certification ecosystem is officially in place, meaning assessments and certifications can now begin. With all necessary components in place and no more changes expected, organizations subject to CMMC can start the process of attestation or certification.
Why You Don’t See CMMC in Contracts… Yet
At this point, you may be wondering why you’re not seeing CMMC in your contracts yet. While the law is established, the updates to the Defense Federal Acquisition Regulation Supplement (DFARS), which will contractually implement the CMMC requirements in solicitations and contracts, are still not complete. This update is expected in mid-2025, after which the DoD will roll out the CMMC requirements over a three-year period.
To put it simply, the laws are in place, and we should start seeing the contractual requirements in the near future. The end goal is for all DoD contracts to feature CMMC requirements within the next three years, beginning once the DFARS is updated.
What Does It Mean for You?
Now that the technical details are covered, let’s discuss what this means for you. CMMC is here, and it’s not going to change significantly. The program has cleared all the hurdles, and now it’s just a matter of time before federal contracts will require it. If you’re in the Defense Industrial Base (DIB) and haven’t started your CMMC journey yet, time is absolutely running out. You’re behind the eight ball.
If you want to keep your business, or perhaps get into the business to open up more opportunities, you can’t afford to put this off any longer. Grab your copy of NIST SP 800-171 (Rev 2), get professional help, and make sure you’re working toward compliance. Pay attention to the requirements of CMMC so you can get your SPRS score uploaded. The future of DoD and the DIB is rapidly approaching—don’t get left behind.
Need help getting started on your CMMC journey? Convergence Networks can guide you through every step of the process, from assessments to certification. Contact us today to learn how we can support your compliance journey.
