CMMC implementation likely shifting to 2024, but contractors should still prepare now

get ready for dod cmmc govcon

The Department of Defense (DOD) had planned to seek an interim final rule designation for implementing the Cybersecurity Maturity Model Certification (CMMC) program, its new cybersecurity standard for defense contractors.

Now, the recent released unified agenda indicates that the DOD is seeking to implement the CMMC program, originally released as an interim rule, via a Notice of Proposed Rulemaking (NPRM) mechanism. The unified agenda sets a deadline of May 2023 for NPRM action. As a result, full implementation of the program will likely shift to sometime in 2024.

The current requirements as stated in DFARS clause 7012 requiring contractors to self-attest compliance with the requirements of NIST Special Publication 800-171 still stand. The commitment of the DOD to anchor the CMMC program on the provisions of NIST Special Publication 800-171 remains unchanged. In June 2022, the DOD’s acquisition office issued a memo reminding acquisition officials of the current NIST 800-171 standard, and offering “contractual remedies to ensure compliance” with the DFARS clause.

What does CohnReznick think?

The Department of Defense is committed to improving the security of its supply chain by requiring its contractors to eventually meet the requirements specified in the CMMC program. The delay is a reflection of the complexity and diversity of the Defense Industrial Base (DIB). While many DIB contractors may see this as another reason to “kick the can” to implement controls or to enhance their cybersecurity program, we recommend that contractors take advantage of this additional time or the transition period to continue to assess and strengthen their cybersecurity posture.

What’s next?

Whether you’re well on your way to CMMC compliance or just getting started, use our “road map to compliance” to check your progress and plan your next steps. And as always, feel free to reach out to our team for more information.


Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy


Daryouche Behboudi, Advisory Managing Director



Get in touch with our specialists

View All Specialists
Bhavesh Vadhani

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
Behboudi Daryouche

Daryouche Behboudi

Advisory Managing Director

Looking for the full list of our dedicated professionals here at CohnReznick?



Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic

Access Our Government Contracting Topic Page for Key Insights & Powerful Tools

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.