Key Updates on CMMC Rollout and Compliance (As per Title 32 CFR)

1. Rollout Phases & Timeline

• Phase 1 has been extended to 1 year (from 6 months) and won’t begin until 48 CFR is finalized.
• Phases 2-4 will follow annually, with full CMMC implementation across contracts by 2028.
• Starting Dec 15, 2024, DoD contracts may begin requiring specific CMMC levels for award.

2. Records Retention & Assessment Teams

• Records retention: 6 years for all assessment-related documents.
• Assessment teams: Must have 3 Certified CMMC Assessors (CCA), including a lead and a quality assurance (QA) CCA.

3. Reassessment & Recertification

• If major changes to CMMC occur, recertification may be required for Certified Professionals (CCPs), Assessors (CCAs), and Instructors (CCIs).

4. Cloud & Service Providers

• Cloud Service Providers (CSPs) processing Controlled Unclassified Information (CUI) must be FedRAMP authorized or equivalent.
• External Service Providers (ESPs) handling CUI may reduce client effort by undergoing voluntary CMMC certification.

5. Specialized Assets

• In Level 3 assessments, specialized assets such as IoT, Operational Technology (OT), and government-furnished equipment will be fully assessed against all requirements.

6. Re-evaluation of Non-Compliance

• Requirements marked as NOT MET may be re-evaluated during the assessment and within 10 business days, provided that new evidence does not affect already met requirements.

7. Risk Management & Asset Classification

• Contractor Risk Managed Assets (CRMA) are now considered CUI assets under Level 3 assessments.
• Virtual Desktop Infrastructure (VDI) endpoints, if properly configured, can be considered out-of-scope.

8. Certification Conversion

• DIBCAC High Assessments conducted before the effective rule date and achieving a perfect score will automatically convert to CMMC Level 2.

Program History & Current Status

History:

• In 2020, the DoD rolled out CMMC, and in 2021, revisions were made to introduce a tiered model, assessment verification, and phased implementation.

Current Status:

• CMMC can now be required in DoD contracts under 48 CFR, and 357 entities have already been assessed.
• An estimated 8,350 medium-to-large entities will need to meet Level 2 certification, with assessments ramping up annually. 

Key Compliance Notes

• Prime contractors are required to flow down CMMC requirements to all subcontractors handling CUI or Federal Contract Information (FCI).
• Subcontractors with CUI access will need at least Level 2 (Self) certification.
   

This digest simplifies complex regulatory requirements and keeps defense contractors informed of the crucial updates, deadlines, and compliance obligations tied to the CMMC program.