.png){kind=small}
Cyber AB - CMMC Reaches Significant Program Milestone Today
- Core Insights Advisory Services
- Dec 16, 2024
- 2 min read
*** NOTICE TO THE CMMC ECOSYSTEM ***
16 December 2024
CMMC Reaches Significant Program Milestone Today
Updated guidance for the Ecosystem and defense contractors as
CMMC Title 32 Final Rule enters into force
(National Harbor, MD)—The Cyber AB is recognizing today’s effective date of the Department of Defense’s codification of the Cybersecurity Maturity Model Certification (CMMC) Program in the Code of Federal Regulations (32 CFR part 170) with updated information on operational preparations for the commencement of voluntary CMMC Level 2 certification assessments.
32 CFR part 170 establishes CMMC as a Department of Defense (DoD) program and as of today’s effective date allows for the commencement of numerous CMMC Ecosystem functions and activities.
The impending CMMC Title 48 Proposed Rule, which would implement CMMC requirements in the Defense Federal Acquisition Regulation Supplement (DFARS), remains in the Federal rulemaking process. No mandatory CMMC contractual requirements for defense contractors can take effect until the CMMC Title 48 Final Rule is approved and becomes effective.
Today, the provisions and requirements of CMMC—as established under 32 CFR part 170—are in effect. The Cyber AB is providing the following information to the CMMC Ecosystem and industry partners:
The updated CMMC Code of Professional Conduct (CoPC) is available on The Cyber AB website (cyberab.org). This version (2.0) of the CoPC is now in effect for all members of the CMMC Ecosystem.
The CMMC Assessment Process (CAP) is also now available (cyberab.org). The CAP is the required procedural guide for Authorized CMMC Third-Party Assessment Organizations (C3PAOs) to use on CMMC Level 2 certification assessments.
The Cyber AB will commence authorizing eligible C3PAOs to conduct CMMC Level 2 certification assessments. C3PAOs who were previously “pre-authorized” under the former (“CMMC 1.0”) framework will require formal reauthorization.
In order to allow all eligible C3PAO candidates an opportunity for authorization before certification assessments begin, the effective date of all initial C3PAO authorizations will be Thursday, 2 January 2025.
Therefore, any organization seeking a voluntary CMMC Level 2 certification assessment from an Authorized C3PAO is advised that no certification assessments will commence before 2 January 2025.
After 2 January 2025, The Cyber AB will continue authorizing C3PAOs on a rolling basis with a commensurate effective date of authorization.
Please note that the CMMC Marketplace will not display any Authorized C3PAOs until 2 January 2025. This does not preclude any pre-authorized C3PAO from entering into contractual agreements prior to that date with organizations seeking a voluntary CMMC Level 2 certification assessment.
Similarly, only CMMC Certified Assessors (CCAs) who meet the certification requirements codified under 32 CFR 170.11 will now be listed in the CMMC Marketplace.
Please continue to refer to The Cyber AB website for additional updates.
About The Cyber AB
The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (d/b/a The Cyber AB) is the sole authorized and independent accreditation body of the CMMC Program. The Cyber AB is a non-profit, tax-exempt 501(c)(3) charitable organization that supports the CMMC Program through a non-cost contract with the Department of Defense.