CMMC Rulemaking: Updates You Need to Know (December 2023)

CMMC security

The finalization of the CMMC rulemaking changes are approaching. The countdown to liftoff for the final CMMC 2.0 rule is almost to T-0. In 2021, the Department of Defense (DoD) unveiled this updated version, streamlining cybersecurity requirements down to three levels from five while aligning requirements with well-known and widely accepted NIST cybersecurity standards. The Office of Information and Regulatory Affairs (OIRA) has completed its review of CMMC 2.0, passing the baton to the Federal Register, which will publish this review in the coming weeks for public comment.

During this 60-day comment period, the public can make suggestions, ask questions, and seek clarification about CMMC. We anticipate public comments to open this month and extend into Q1 2024, so be on the lookout!

When will CMMC 2.0 be finalized?

We expect to see the final CMMC 2.0 rule to appear in contracts starting in Q1 of 2025. The DoD will gradually introduce the DFARS clause 252.204-7021 into various contract groups over a three years phased rollout. This gradual introduction means that CMMC 2.0 won’t immediately appear in all contracts overnight. With this phased rollout, it is expected that all relevant DoD contracts will incorporate CMMC 2.0 by 2028. 

Defense contractors not yet compliant with all 110 NIST 800-171 controls should prioritize bringing their cybersecurity up to standard immediately. At Alluvionic, we have observed that most small to mid-sized companies require 9-18 months to progress from an average state to being assessment-ready. While many contractors may wait until the final CMMC rule to begin their compliance transition, achieving compliance with CMMC’s 110 cybersecurity requirements takes time. Implementing new technical solutions, developing compliant policies, processes, and procedural documentation, along with executing organizational change strategies, is no simple task. Learn more about planning for your CMMC certification here. 

CMMC Planning with Alluvionic

Alluvionic’s process to CMMC compliance assists your team by establishing a baseline for your organization, creating a plan with achievable milestones, implementing new tools and processes to address deficiencies, and ultimately achieving certification. Learn more here and contact our team today to kickstart your CMMC process.

Ready to Start Your Project?

Whether you need project management, process improvement, product development, personnel support, or cyber solutions, Alluvionic has the expertise to provide Peace of Mind and Project Assurance®.

Articles & News

Contact Us


Fill out the form below to access our checklist that will ensure your project's success!