ARTICLE
Brought to you by the AGC Construction Technology Committee As a Department of Defense (DoD) contractor, you've likely heard the phrase "CMMC is coming soon" more times than you can count. The wait ended in December 2024 as the Cybersecurity Maturity Model Certification (CMMC) program went live. Here are the key milestones and what they mean for your compliance journey: October 15, 2024: Final program rule for CMMC published in the Federal Register. December 16, 2024: CMMC becomes an official DoD program with the finalization of Code of Federal Regulations (CFR) 32 Part 170. January 2, 2025: Certified Third-Party Assessors (C3PAOs) begin their own certification assessments. Q2/Q3 2025: 48 CFR for CMMC is expected to be finalized, allowing contracting officers to make CMMC compliance a condition of contract awards. Where Are We Now? We are currently between CMMC requirements finalized (32 CFR) and CMMC Contract Clause Implemented (48 CFR). This period is critical for contractors to assess their readiness and prepare for the upcoming compliance requirements. Assessment Processes Finalized: The certification creation process for CMMC levels is now complete. C3PAOs Authorized: Certified Third-Party Assessor Organizations (C3PAOs) are being approved to conduct assessments. DIBCAC/Level 2 assessments have been underway, C3PAO’s are preparing for certification and scheduling customers for assessments with many already booked through July. Understanding Your Compliance Requirements: Now is the time to identify your compliance obligations and create a roadmap to meet them. Here's what you need to know: Flow-Down Requirements: CMMC applies to subcontractors through the inclusion of DFARS Clause 252.204-7021 in contracts. If a company is awarded a contract with this clause, they must include it in subcontracts. No NIST 800-171 Changes or Exclusions: If your contract includes DFARS clauses (e.g., 252.204-7012 or 252.204-7020), these requirements remain in place alongside CMMC obligations. Retention requirements: Security related documentation has a 6-year retention period. The statute of limitations for false claims act prosecution is also 6 years. Security protection data must be protected as CUI. What Happens When 48 CFR Takes Effect and a Contract Includes a 252.204-7021 Clause? Once 48 CFR is finalized, compliance requirements will vary depending on the type of information you handle: For Federal Contract Information (FCI) – CMMC Level 1: Self-attestation is required, with an executive signature affirming your organization’s security posture. Attestations must be submitted through the SPRS portal, alongside your NIST score. Subcontractors must meet or exceed the same requirements depending on FCI/CUI handling. For Controlled Unclassified Information (CUI) – CMMC Level 2: The contracting officer may determine that the information sensitivity is low and allows for self-attestation. Attestations are also submitted through SPRS, but apply to a much higher bar of compliance requirements. More likely- the contract will specify 3rd party certification of Level 2 compliance. 3rd party certification involves a rigorous assessment process conducted by a C3PAO team, requiring at least three assessors and typically take several weeks to complete, and if achieved a QA assessor uploads the result to eMASS for the company seeking certification. The limited number of certified assessors will result in significant scheduling lead times. Contractors should start planning now. Scheduling with some C3PAO’s is already at a 6+ month lead time. Compliance requirements above and beyond for export-controlled and other sensitive information remain in place, even after achieving Level 2 certification. Why Act Now? Becoming CMMC compliant is not an overnight process. Delays in planning or scheduling your assessment could jeopardize your eligibility for future contracts. This requires participation of the business as a culture of security improvement, many controls & requirements are not “just” IT changes. Click here for the AGC of America CMMC resources page with information and links to past AGC training resources. Questions – Join User Group The AGC Technology Committee Chair, Mandy Irvine McClure, is forming a CMMC User Group dedicated to fostering collaboration among contractors navigating CMMC requirements. This remote, monthly meeting will provide a space to discuss challenges, share insights, ask questions, and stay updated on the latest compliance developments. Whether you're just starting your CMMC journey or looking to refine your approach, this group offers a valuable opportunity to connect with industry peers and experts. Please contact Mandy for more information.
Brought to you by the AGC Construction Technology Committee
As a Department of Defense (DoD) contractor, you've likely heard the phrase "CMMC is coming soon" more times than you can count. The wait ended in December 2024 as the Cybersecurity Maturity Model Certification (CMMC) program went live.
Here are the key milestones and what they mean for your compliance journey:
Where Are We Now? We are currently between CMMC requirements finalized (32 CFR) and CMMC Contract Clause Implemented (48 CFR). This period is critical for contractors to assess their readiness and prepare for the upcoming compliance requirements.
Understanding Your Compliance Requirements: Now is the time to identify your compliance obligations and create a roadmap to meet them. Here's what you need to know:
What Happens When 48 CFR Takes Effect and a Contract Includes a 252.204-7021 Clause? Once 48 CFR is finalized, compliance requirements will vary depending on the type of information you handle:
For Federal Contract Information (FCI) – CMMC Level 1:
For Controlled Unclassified Information (CUI) – CMMC Level 2:
Why Act Now? Becoming CMMC compliant is not an overnight process. Delays in planning or scheduling your assessment could jeopardize your eligibility for future contracts. This requires participation of the business as a culture of security improvement, many controls & requirements are not “just” IT changes.
Click here for the AGC of America CMMC resources page with information and links to past AGC training resources.
Questions – Join User Group The AGC Technology Committee Chair, Mandy Irvine McClure, is forming a CMMC User Group dedicated to fostering collaboration among contractors navigating CMMC requirements. This remote, monthly meeting will provide a space to discuss challenges, share insights, ask questions, and stay updated on the latest compliance developments. Whether you're just starting your CMMC journey or looking to refine your approach, this group offers a valuable opportunity to connect with industry peers and experts. Please contact Mandy for more information.