Phased implementation and C3PAO certifications begin in December 2024
- To ensure defense contractors gradually meet the requirements of the final Cybersecurity Maturity Model Certification (CMMC) rule, the Department of Defense has implemented a four-phase rollout process. Phase 1 begins Dec. 16, 2024, when the final rule takes effect.
- The final rule extends Phase 1 from six months to one year to allow the defense industrial base (DIB) to ramp up and implement the final requirements of the rule. Successive Phases 2, 3 and 4 commence annually thereafter.
External service provider requirements
- External service providers (ESPs) that do not process, store or transmit controlled unclassified information (CUI) are exempt from CMMC certification. Only ESPs that handle CUI must align their certification level with the requirements of the organization seeking certification (OSC).
- This distinction allows some providers to continue operating without certification, reducing compliance burdens based on the nature of their services.
Plans of action and milestones
- Plans of action and milestones (POA&Ms) are allowed, but contractors need to be at least 80% compliant to obtain a conditional certification.
- Open items must undergo and successfully pass a POA&M closeout assessment to achieve full compliance.
International contractors
- U.S. and non-U.S. organizations will be subject to the same CMMC requirements.
- No additional timeline or special accommodations will be granted to international contractors.
Role of affirming official
- The final rule removes the term “senior official” and replaces it with “affirming official.” The affirming official is responsible for ensuring and affirming the contractor’s compliance with CMMC security requirements.
