CMMC Timeline


The Cybersecurity Maturity Model Certification (CMMC) is a new regulation being rolled out by the US Department of Defense (DOD). The objective of CMMC is to improve the cybersecurity of the defense industrial base by requiring defense contractors to pass a third-party audit that demonstrates compliance with the requirements of one of the five levels of CMMC compliance. CMMC’s timeline for full rollout allows businesses to get fortified in a timely manner—if they begin acting now. 

The design of CMMC focuses on the supply chain of defense contracts. A defense contract requiring CMMC compliance will mandate that the prime contractor and all subcontractors achieve certain levels of CMMC compliance based upon their role on the project and the sensitivity of the information that they have access to.

Key Milestones for CMMC

CMMC regulation is still in its early stages with a plan to roll it out over several years. Throughout the CMMC rollout timeline, assessors will be selected and increasing numbers of contracts will require CMMC compliance.

First Certified Third Party Assessors Approved

CMMC requires contractors to undergo an assessment by a third-party assessor. This third-party assessor must be approved by the CMMC Accreditation Body (CMMC-AB).

Due to the youth of the regulation, the CMMC-AB has only finalized the process for one CMMC assessor and is working to onboard more assessors. The plan is for the process to build capacity to approve more assessors at scale.

Contracts Requiring CMMC Approval

The DOD does not plan to roll out CMMC to all contracts immediately. Instead, between 2021 and 2026 increasing numbers of DOD contracts will require CMMC compliance. The goal of these contracts is to accredit more contractors (both prime and sub) each year.

The targets for contracts requiring CMMC compliance each year are:

  • 2021: 15 “pathfinder” contracts designed to achieve 899 Level 1, 149 Level 2, and 452 Level 3 certifications.
  • 2022: 75 contracts designed to reach 7,500 accredited prime and subcontractors
  • 2023: 250 contracts to reach 25,000 accredited contractors
  • 2024: 479 contracts
  • 2025: 479 contracts

In the first seven years of the program, the plan is to accredit 220,966 contractors against the new CMMC requirements.

Implications of the CMMC Timeline

CMMC is a fast-moving process. In FY 2021, the DOD plans to have 1,500 contractors accredited at various levels of CMMC compliance. However, the CMMC-AB has not yet defined the process for approving auditors to assess and accredit these contractors.

Many organizations that will require CMMC compliance are likely not currently compliant with the regulation. A survey by Sera Brynn of compliance with NIST 800-171—a standard that inspired many of the CMMC controls and relies on self-accreditation—found that surveyed organizations had only fully implemented 53% of the required controls. Since the CMMC requires third-party certification of full compliance, these companies have a long way to go.

With over a thousand companies requiring CMMC compliance this year, getting started early is essential to passing the audit in time to bid on “pathfinder” contracts. To get started on assessing compliance gaps and developing a strategy for closing them, contact us.

Write a comment