The Department of Defense (DoD) published the CMMC 2.0 Proposed Rule on December 26th.
This kicked off a 60 day “public commenting period” which ends next week on February 26th. That gives you less than a week if you want to provide your input or ideas to improve this sweeping cybersecurity assessment framework. You can submit comments here.
So far about 140 comments have been received. This is significantly down from the 750 public comments received when CMMC 1.0 was published. With the reduced number of comments, the DoD may get through the “Adjudication” phase of the rule making process quicker than anticipated.
The included “CMMC Implementation Timeline”* chart shows the CMMC Final Rule being published in January of 2025. However, with a shorter “Adjudication” phase, some have speculated that the final rule may be published in Q4 of this year.
Either way, if you haven’t started your implementation of NIST SP 800-171r2, the time to start is now. These implementations will take on average 12 to 24 months.
Companies that are already working on it will have an advantage with prime contractors who want to reduce their risk by selecting subcontractors that already have their cybersecurity program CMMC assessed.
If you have questions, schedule a free 15-minute consultation with our cybersecurity experts to answer your questions about starting your NIST SP 800-171r2 implementation.
*Thanks to our friends at Future Feed for providing the “CMMC Implementation Timeline” graphic.
About AXIOTROP, LLC:
AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.