Recently, it was announced that Katie Arrington was promoted to acting CIO for the Department of Defense. With the efforts for CMMC being spearheaded by her and the task force she was a part of, many have taken to social media to speculate on the decay of the program. Despite this, most assessors and organizations are still expecting the CMMC program to maintain its course.
There have been several announcements appearing of organizations achieving favorable results in their Certified 3rd Party Organization assessments with them simply waiting on the accreditation board to issue them the certification. We have additionally seen some SOWs already starting to require CMMC assessments within six to twelve months of contract award.
Even if the DoD were to not require certifications in the expected time frame due to complications, prime contractors are very likely to set expectations for CMMC compliance regardless for their subcontractors. The reality of the situation is that cybersecurity is still an expectation for organizations that handle, create, or otherwise interact with protected defense information. DFARS 252.204-7012 has required contractors to implement all of the controls within CMMC level 2 since January of 2018 and the final rule for CMMC program was published in October of 2024. Additionally, 48 CFR 52.204-21 has required all of the content for CMMC level 1 compliance to be met since March of 2016.
Don’t wait until the last minute when you find your RFP requires CMMC! Contact our team of experts to discuss your CMMC readiness. Learn more about CMMC and assessment preparation, here.
