The August 2024 Cyber AB Town Hall was an informative session packed with updates for those in the cybersecurity space, particularly organizations within the Defense Industrial Base (DIB) navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC). The event provided a roadmap of upcoming regulatory changes and valuable insights into the CMMC ecosystem’s ongoing evolution.
TL:DR – Key Takeaways from the Town Hall:
- CMMC Rulemaking Timeline: The final rule publication is expected by November 2024, followed by a 60-Day Congressional Review likely commencing in late December 2024 or early January 2025. This sets the stage for an official CMMC go-live of March 2025.
- Transition from 8570 to 8140 Certification: The baseline certification for CCAs under 8570 will no longer be recognized once CMMC is published, with the 8140 certifications taking precedence.
- FedRAMP Equivalency Memo: Both Organizations Seeking Certification (OSCs) and External Service Providers (ESPs) should review the FedRAMP Moderate Memo, this is particularly relevant for Cloud Service Providers aiming to meet the equivalent standards required under the CMMC framework.
- Authorized C3PAO Growth: The number of certified C3PAOs has grown to 57.
- Upcoming OIG CMMC Program Audit: Anticipated for mid-October 2024, the OIG will perform an audit of the CMMC program. This audit is expected to provide additional oversight and potentially influence final rule adjustments.
CMMC Projected Timeline and Key Milestones
One of the most important announcements was the March 2025 target for CMMC to officially go live, a milestone eagerly anticipated across the defense sector. Leading up to that, November 2024 is when the final rule is expected to be published. Following this, a 60-day Congressional review period will likely commence between late December 2024 and early January 2025.
The timelines underscore the importance of preparation for organizations aiming to secure contracts with the Department of Defense (DoD). During the town hall, the Cyber AB reinforced that all defense contractors especially those pursuing Level 2 CMMC certification, should start preparing now to meet these deadlines and ensure compliance.
Upcoming Audits
In October 2024, the Office of the Inspector General (OIG) will conduct a CMMC program audit, an event that contractors and cybersecurity professionals should watch closely. This audit could shape the future of the CMMC program and provide insights into what compliance will entail for businesses.
FedRAMP Memo and DFARS 7012
The town hall also placed emphasis on FedRAMP-Equivalency Memo updates, specifically addressing cloud service providers. This new guidance will offer clarity on how cloud service providers can ensure compliance with DFARS 7012 and safeguard sensitive DoD data.
Upcoming Events
There are numerous CMMC events happening throughout the remainder of the year and early 2025. Please see the graphic below for an event near you.
CMMC Certification and Training
The Cyber AB continues to enhance its certification framework, including updates on CMMC Assessor (CCA) and Cybersecurity Practitioners (CCP) certifications. These updates are critical as the industry transitions from 8570 and 8140 certification requirements, making a shift in how individuals are trained and accredited in cybersecurity roles. The 3 Assessment requirements for C3PAOs was used to validate the prior experience. Today CCA certifications have requirements of 3 years of Cybersecurity experience and 1 year of assessment experience. The 3 Assessment requirements are no longer needed to become a Lead Assessor. This requirement is going to be removed from the Cyber AB website.
A notable change is that the CCP certification has added the requirement to obtain a Tier 3 Background check before achieving Certification. For those that are not able to conduct a background investigation can go through an “Equivalent” investigation. There has been no announcement on what will be considered Equivalent. It is expected that this will be identified by the time CMMC is fully enforced in March 2025.
It is important to note that the town hall clarified that 8570 certifications will no longer be recognized once CMMC is fully enforced. Instead, individuals will need 8140 certifications, which cater to military service members, DoD civilians, and contractor employees.
The Cyber AB Marketplace and C3PAO Growth
The Cyber AB’s marketplace continues to expand, offering Authorized C3PAOs (Certified Third-Party Assessment Organizations) a platform to promote their services. As of August, the town hall revealed that 57 C3PAOs have been authorized, a number expected to grow as demand for compliance assessments surges.
Looking Ahead: 2025 and Beyond
The Cyber AB reiterated that the CMMC Certification Infrastructure (CCI) program is expected to launch in late 2025. This program will support long-term compliance and streamline the certification process for defense contractors.
The August 2024 Cyber AB Town Hall provided valuable insights for contractors aiming to stay ahead of compliance deadlines. With CMMC becoming a requirement by March 2025, NOW is the time to focus on certifications, audits, and updates to your cybersecurity framework to ensure your business remains competitive in the defense space.
If you’re looking to get CMMC compliant, Tesseract, can do a lot of the heavy lifting for you. We believe it is the most cost-effective, comprehensive and flexible solution available. Tesseract leverages patent-pending technology to help businesses develop a CMMC cybersecurity program that is customized for the way your business operates at a price comparable to more standardized offerings. We also focus on continuous compliance, so you know you’re ready for your first assessment and the next one, too.
