IMPORTANT DATE: Starting December 16, 2024, DoD requires CMMC-Phase 1 Assessments for ALL solicitations as an award condition.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC), developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, ensures that defense contractors meet rigorous protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This certification is essential to safeguarding against cybersecurity threats.

Who needs CMMC?

CMMC applies to any company with cybersecurity obligations under FAR 52.204-21 and DFARS 252.204-7012, irrespective of contract size or revenue percentage. If FCI or CUI is handled in contract performance, CMMC compliance is mandatory.

Key dates and phased implementation

The CMMC framework rolls out in four phases, beginning with Phase 1 on December 16, 2024. Here’s a breakdown of the timeline and compliance requirements:

• Phase 1 - December 16, 2024: CMMC self-assessment is required for all Department of Defense (DoD) solicitations as a condition of award.
• Phase 2 - One year (2025) after Phase 1: Certification requirements apply to specific DoD solicitations and contracts.
• Phase 3 - One year (2026) after Phase 2: Certification required for all DoD contracts and solicitations, including CMMC Level 3 for relevant contractors.
• Phase 4 - Full implementation one year (2027) after Phase 3: CMMC compliance is required in all contracts, including option periods.

What if your company is not certified?

Without CMMC certification, defense contractors risk ineligibility for contracts with these requirements. Additionally, misrepresentations in self-assessments may lead to prosecution under the False Claims Act, underscoring the need for accurate and proactive compliance.

How Citrin Cooperman can help

Working with experienced compliance specialists will streamline your path to compliance, ensuring that your responses are accurately implemented and meet all requirements. Our specialists help defense contractors proactively assess contracts, conduct self-assessments, identify compliance gaps, and develop a Plan of Action and Milestones (POA&M) to achieve full compliance with Federal Acquisition Regulation (FAR) and National Institute of Standards and Technology (NIST) standards.

Take action now to protect your business and align with DoD standards. Citrin Cooperman’s Cybersecurity team is here to navigate your firm’s CMMC requirements. Contact Kevin Ricci at kricci@citrincooperman.com or Suzan Miller at smiller@citrincooperman.com to learn more about how a readiness assessment can position your company for success in a rapidly evolving cybersecurity landscape.