Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
4 min read

CMMC Final Rule Signals Compliance Ramp Up

Subscribe
CMMC Final Rule Signals Compliance Ramp Up

After five years and several iterations, the Department of Defense (DoD) has released its final version of Cybersecurity Maturity Model Certification (CMMC) regulations. The Final Rule was published on October 15, 2024, and becomes effective on December 16, 2024. This means that organizations in the DoD supply chain may see the requirements for compliance on their contracts as early as mid-December. 

With the CMMC Final Rule, compliance requirements will move from planning to full enforcement, with the rollout for third-party audits varying by contract. For organizations that have been tracking CMMC’s evolution, now is the time to ensure everything aligns with the final standards. For those who have yet to fully prepare, there’s no time to waste. Noncompliance now comes with real risks, from potential contract loss to reputational damage, as the DoD enforces cybersecurity standards across its entire supply chain.

Here’s our perspective on the main takeaways of the CMMC Final Rule. 

Key Insights from the CMMC Final Rule

 

Requirements Based on NIST SP 800-171 Revision 2 

While there are some clarifications and slight adjustments, the requirements for the three levels of compliance continue to be based on NIST SP 800-171 Revision 2. Sticking with Revision 2, instead of the newer Revision 3 which was released in May 2024, allows organizations to work within a familiar framework rather than take on the burden of adopting a new standard while working towards compliance.

Phased Approach to Compliance Ramp Up 

The timeline detailed in the Final Rule sets into motion a ramp-up process designed to bring all Defense Industrial Base (DIB) suppliers into compliance in four phases. 

  • Phase 1 (starting Dec. 16, 2024) – Some suppliers may need a Level 1 or 2 self-assessment, but some contracts may require a Level 2 third-party assessment. 
  • Phase 2 (starting Dec. 16, 2025) – Some suppliers may need a Level 1 or 2 self-assessment. However, more contracts will start to phase out the Level 2 self-assessment and instead will require third-party Level 2 assessment. Contracts with sensitive data may start to see the requirement of needing a Level 3 third-party assessment. 
  • Phase 3 (starting Dec. 16, 2026) – Suppliers will need a Level 1 self-assessment or a Level 2 third-party assessment (Level 2 self-assessment will be phased out). Contracts with sensitive data will need a Level 3 third-party assessment although this may be waived by prime contractors at their discretion. 
  • Phase 4 (starting Dec. 16, 2027) – CMMC is fully implemented across all DoD contracts. Organizations will need a Level 1 self-assessment, Level 2 third party assessment, or a Level 3 third-party assessment as required from the contracts. 

This phased rollout gives organizations that present less risk a more flexible timeline. The DoD determines whether a self-assessment or third-party audit is required, and this is spelled out in each contract. So, while there are set phases for CMMC rollout, it’s the contract that provides the specifics on the steps and timing needed based on the risk level of the data that is handled. 

Cloud Services Must Meet FedRAMP Standards 

The Final Rule retains the requirement that cloud service providers that process, store, or transmit Controlled Unclassified Information (CUI) need to meet FedRAMP Moderate Authorized or Equivalent standards. Adherence to this standard means that the only cloud services CMMC organizations can use are those that have been vetted by this approved accreditation body.  

The implications of this are that organizations seeking compliance should review the cloud services they’re using to determine if they meet FedRAMP standards and replace those that are non-compliant. FedRAMP offers a directory that lists authorized service providers.

What You Should Do Right Now 

The CMMC Final Rule is a signal for those in the DoD supply chain that prep time is over. It’s time to get serious about creating and executing your plan for compliance.  

Here’s our recommendation for the next steps in your CMMC compliance journey: 

  1. Assign someone to take ownership of the compliance process to make sure that compliance is a priority, not an afterthought.
  2. Review existing contracts that will potentially include CMMC requirements, identify the required level, and determine whether self-assessment or third-party audit is required. 
  3. Evaluate your current environment for gaps in compliance. 
  4. Assemble a team to plan, implement, and manage the measures you need to attain and maintain compliance. 
  5. As you approach the assessment phase, nominate an affirming official to oversee the audit process.

 

Is the Final Rule… Final? 

For now, the Final Rule has given DoD suppliers a goal and a timeline, providing clarity around what’s needed to achieve CMMC compliance. But we can only speculate on how long this version will last. Technology is evolving, and with NIST SP 800-171 Revision 3 likely to come into play in the future, staying informed and adaptable will be key to responding to changes as they come. 

You Need a Guide for Your CMMC Journey 

While the goal of CMMC compliance is for DoD suppliers to become uniform in how they protect sensitive information, the path that each organization takes to become compliant is unique. Working with a managed service provider who can interpret regulations into security controls that integrate with your business operations - and help you keep compliance costs at a minimum - is a smart move for anyone looking to establish or maintain a strong relationship with the DoD. 

At VC3, we understand that security and compliance isn’t your core business. You’re focused on delivering quality products and services, and keeping everything running smoothly, all while meeting DoD requirements. That’s where we come in. With our team of Registered Practitioners, we translate CMMC requirements into straightforward, practical controls that fit in with your business operations and help keep compliance costs manageable.  

Not sure what to do next? We can help! Get in touch to talk to a CMMC expert.

   

 
Dec 9, 2024

VC3

Let's talk about how VC3 can help you AIM higher.