📰 CMMC 2.0 in 2025 Discussion

josem.serrano

Hello everyone! I recently read this Breaking Defense article that discusses the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0.

In the article they state:

"The 32 Code of Federal Regulations (CFR) final rule, which lays the framework for CMMC 2.0, went into effect on Dec. 16, but the DoD won’t actually begin implementing the CMMC 2.0 requirement for contractors until the 48 CFR final rule is released — likely in the spring of 2025.

However, in order to avoid a scramble to meet the new regulations with little notice, those requirements won’t become mandatory until after a three-year phase-in period."

Some questions I thought I should ask this community of compliance professionals were:

• How do you see CMMC 2.0 affecting your company specifically?
  • What challenges do you anticipate when trying to meet these new regulations?
• Is a 3 year phase in period enough to meet these new rules?
• Do you think these updated standards will actually reduce cybersecurity risk?

I'd love to know your thoughts!

richard.moormann

• How do you see CMMC 2.0 affecting your company specifically

Many requests for CMMC assistance from clients. We expect more thru the year.

• What challenges do you anticipate when trying to meet these new regulations?

One challenge will be getting C3PAOs to leverage Apptega as a a document repository and compliance tool as intended. Current recommendations within the ecosystem encourage C3PAOs to force OSAs to upload all their docs to their solution.

• Is a 3 year phase in period enough to meet these new rules?

The regulation requiring this level of compliance are over 5 years old. There is no excuse for a DIB contractor not to have security practices in place.

• Do you think these updated standards will actually reduce cybersecurity risk? Y

Yes.