Skip to main content
  1. CohnReznick: Advisory, Assurance, Tax Firm
  2. Insights
  3. CMMC implementation likely shifting to 2024, but contractors should still prepare now

CMMC implementation likely shifting to 2024, but contractors should still prepare now

Bhavesh Vadhani, Daryouche Behboudi

The Department of Defense (DOD) had planned to seek an interim final rule designation for implementing the Cybersecurity Maturity Model Certification (CMMC) program, its new cybersecurity standard for defense contractors.

Now, the recent released unified agenda indicates that the DOD is seeking to implement the CMMC program, originally released as an interim rule, via a Notice of Proposed Rulemaking (NPRM) mechanism. The unified agenda sets a deadline of May 2023 for NPRM action. As a result, full implementation of the program will likely shift to sometime in 2024.

The current requirements as stated in DFARS clause 7012 requiring contractors to self-attest compliance with the requirements of NIST Special Publication 800-171 still stand. The commitment of the DOD to anchor the CMMC program on the provisions of NIST Special Publication 800-171 remains unchanged. In June 2022, the DOD’s acquisition office issued a memo reminding acquisition officials of the current NIST 800-171 standard, and offering “contractual remedies to ensure compliance” with the DFARS clause.

The Department of Defense is committed to improving the security of its supply chain by requiring its contractors to eventually meet the requirements specified in the CMMC program. The delay is a reflection of the complexity and diversity of the Defense Industrial Base (DIB). While many DIB contractors may see this as another reason to “kick the can” to implement controls or to enhance their cybersecurity program, we recommend that contractors take advantage of this additional time or the transition period to continue to assess and strengthen their cybersecurity posture.

Whether you’re well on your way to CMMC compliance or just getting started, use our “road map to compliance” to check your progress and plan your next steps. And as always, feel free to reach out to our team for more information.

Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Daryouche Behboudi, Advisory Managing Director

703.744.8507

Related Services

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Bhavesh N. Vadhani
CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
Contact Bhavesh
Daryouche Behboudi
Advisory Managing Director
View full biography
Contact Daryouche
Access Our Government Contracting Topic Page for Key Insights & Powerful Tools
Explore insight collection