By this point, all companies in the defense sector (contractors and subcontractors) know they need to adhere to CMMC compliance requirements. With the U.S. Department of Defense and NIST updating guidelines, it’s vital to understand what changes are coming and when. Heading into 2024, clarity on this timeline becomes crucial for compliance planning.
We’ve mapped out the dates and milestones you need to be aware of in 2024 to help ensure your CMMC compliance and NIST SP 800-171 revisions. From new drafts to finalized rules, here is what you can expect and how to prepare for it. Whether you’re working on current compliance or planning for new revisions, this guide will keep you ahead of the curveballs.
Before you dive in, here’s a quick refresher: NIST SP 800-171 is the framework of cybersecurity requirements for the DoD. The CMMC model integrates several cybersecurity standards to ensure the DoD supply chain remains secure.
Timeline: 2024 Milestones for CMMC Compliance & NIST SP 800-171 Rev. 3
As we zoom into 2024, it’s crucial to understand the likely developments happening in 2023 as well. While the DoD rolls out CMMC 2.0, which simplifies the level of requirements (based on NIST SP 800-171 Rev. 2), they may add changes to CMMC 2.0 (based on the upcoming NIST SP 800-171 Rev. 3).Confused? Here’s a timeline to help you map out what’s coming.
What to expect in 2023
Look Out for Next Draft of Rev. 3
When: End of 2023
What: Final discussion draft post-public comments
Why: Last chance for public input on Rev. 3
CMMC 2.0 Phased Implementation
When: May 2023 – Oct 2025
What: Mandatory compliance for DoD contractors
Why it matters: Now is the time to prepare your business to meet CMMC compliance requirements.
Though the completion of the phased implementation is slated for October 2025, compliance steps will be progressively expected from DoD contractors through 2024 as well.
As of this blog post, the six-month audit recommendation means you should be in the evaluation phase, if not already compliant.
2024: Expanded CMMC compliance required
Requirements Included in more Contracts
When: Throughout 2024
What: DoD rolls out CMMC requirements into more contracts
Why it matters: Renewals or new contracts will likely require CMMC 2.0 compliance. Look for this in the fine print.
Uptick in Subcontractor Compliance
When: Throughout 2024
What: More subcontractors required to demonstrate CMMC 2.0 compliance
Why it matters: Not all subcontractors will be up to speed on compliance requirements. Accomplishing this ASAP will make you a more attractive partner.
Full CMMC 2.0 Implementation
When: Late 2024
What: With a goal of full implementation in 2025, late 2024 will be the time for last-minute assessments and adjustments in compliance strategies.
Why it matters: If you’re lagging in compliance, this is your catch-up period before full implementation in 2025.
Why You Can’t Ignore NIST 800-171 Rev. 3 in 2024
Although CMMC 2.0 is getting most of the attention right now, it’s important to understand why you should be focused on NIST 800-171 Rev 3.
Rev. 3 may make you re-evaluate how far you’ve come and how much further you need to go. It doesn’t necessarily make things more complicated; rather, it clarifies what you should’ve been doing all along. For example, it fine-tuned requirements like the “allow list function,” illustrating that while setting up may be easy, maintenance is an entirely different ballgame.
If you haven’t started paying attention to NIST 800-171 Rev. 3, it’s time to buckle down. The clarifications and changes it brings could have a substantial impact on your compliance journey, and by extension, your standing in the Defense Industrial Base (DIB).
As you navigate through 2024, keep Rev. 3 on your radar—because compliance waits for no one.
A Paradigm Shift in DoD Cybersecurity Compliance
As we advance through 2024, the focus is increasingly shifting towards more robust cybersecurity practices, especially in the DIB. NIST 800-171 Rev. 3 is not just another version—it’s a clarifying force that could redefine how you approach compliance. Coupled with the unfolding timeline of CMMC 2.0, these standards are integral to shaping a more secure and resilient supply chain. Whether you’re already compliant or just starting your journey, being proactive rather than reactive is the key to navigating these complexities successfully.