CMMC Final Rule Goes into Effect December 16, 2024

The CMMC Final Rule has been published, and it will be effective on 12/16/2024. This means that beginning 12/16 C3PAOs can being performing official assessments.

The below information will drive timelines for your organization.

  • The rule, 32 CFR Part 170, creates the CMMC Program and defines if, when, and how assessments are required and performed.
  • There is a second rule, an update to 48 CFR, that will define the specific contract language (DFARS clause) that will go into contracts. This rule is in draft form and pending review of public comments. Because this rule is smaller and specific, it’s possible the final rule could be effective in early 2025. This rule will “start the clock” on the phased rollout defined in the 32 CFR rule.
  • Phased Timeline – Below are the phased defined in the rule, and the dates assume that the 48 Rule will be final in early 2025.
    • Phase 1 – Level 1 and Level 2 Self Assessments as condition of award, only optional to require Level 2 C3PAO assessment (estimated to begin early 2025)
    • Phase 2 – Level 2 C3PAO assessments in applicable solicitations and as condition of award, with discretionary delay option period (estimated to begin early 2026)
    • Phase 3 - Level 2 C3PAO assessments in applicable solicitations and as condition of award or exercise of option period, optional to include Level 3 DIBCAC assessment (estimated to begin early 2027)
    • Phase 4 – Full implementation (estimated early 2028)
  • There is not a defined set of criteria to determine what solicitations and contracts will require a Level 2 C3PAO assessment for award during Phase 1 or how many waivers or delays will be granted in phase 2. Additionally, it appears there is no intent to include the requirement for a Level 2 C3PAO assessment when exercising option periods until phase 3.

Based on the information Guernsey currently has most companies should ensure they are ready for a Level 2 C3PAO assessment by the end of 2025, if not sooner.

Next Step:

  • You will need to identify a C3PAO to perform the assessment and ensure you are in their queue well before your target date.
    There are currently 58 organizations authorized to perform assessments and only ~300 certified assessors.

Each assessment requires at least 3 certified assessors, so there is certainly going to be a limit on the number of assessments completed in 2025.

CMMC Final Rule Goes into Effect December 16, 20242

Guernsey is the only Oklahoma based company to have achieved the Certified Third-Party Assessment Organization (C3PAO) status, which authorizes the firm to provide CMMC assessments, or “audits,” for clients seeking certification to meet their contractual obligations.

To schedule your company's C3PAO assessment, contact Timothy Fawcett, CISSP, Vice President Director of Cybersecurity Consulting, at Timothy.fawcett@guernsey.us or (405) 416-8182.