The CMMC Countdown: Why Your Company Needs to Prepare for 2025 Now, Part 1

This AI-generated image was created on Midjourney and curated by Tom Caliendo.

On December 26, 2023, the Department of Defense published the proposed rule for comments for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. Some estimate the ruling will become effective in 2025. Is your company ready?

We will explore how your company can prepare for when CMMC goes live sometime in early to mid-2025. This will be a series of posts to discuss the various topics in CMMC. We will explore some high-level reasons why it is essential to start preparing sooner rather than later.

Selecting the correct Azure tenant

The Commercial tenant may not be sufficient for organizations using Microsoft 365 and Azure. This tenant is acceptable for organizations that only handle Federal Contract Information (FCI) and not Controlled Unclassified Information (CUI) (i.e., those that only need to comply with CMMC 2.0 Level 1). If your organization handles CUI, you will need a Government Cloud Community (GCC) tenant at a minimum. You will need a GCC High tenant if you handle CUI Specific (e.g., export-controlled).

It will take time to migrate from a Commercial tenant to a GCC and GCC High tenant. Hiring a CMMC consultant and/or a managed service provider (MSP) to help you transition would be wise.

Creating the System Security Plan (SSP)

If you have not created an SSP before, this will take time. Level 1 (L1) only has 17 controls, and Level 2 (L2) has 110 controls. Even for L1, it can take a while to adequately document your plan to achieve compliance for each control. Each control has assessment objectives. The SSP should describe how each of those objectives is met. This can take a couple of weeks if it is written for the first time.

It will take longer to write the SSP for L2. It is not merely the increase in the number of controls but the type of controls. L2 requires more than basic protection and requires more documentation. For example, security awareness training is required in L2 but not L1. Typically, this training should have a defined plan for conducting it. That is another document that is needed to support the SSP.

Collecting Evidence

The assessment team will use three possible methods to assess whether the control objectives are met: examination, interview, and test. You will need to provide evidence that uses either of those three methods. Ideally, you should be able to use two of the three as part of your evidence.

The evidence needs to support the SSP, and the evidence needs to be organized. If you take the time to organize the evidence for each control, it will make the assessment team’s review much easier and will speed up the assessment time (possibly saving you money too).

Updating Internal Processes

Your company may need to update how it operates business. Continuing with the security awareness training example, personnel may need to start taking training and being tested. This additional process takes time and resources. The personnel must take the training, and the training records must be captured and recorded for evidence.

Hiring a C3PAO

It would be good to start looking for a C3PAO assessment team now, even if you are not ready. You can find one that is geographically close to you to save on travel costs and one that fits your budget. They cannot start assessments until CMMC 2.0 officially goes live. By signing up with a C3PAO now, you essentially put yourself in line to be assessed when it goes live. If you wait until CMMC goes live to sign up, there might not be any available C3PAOs for a long while. Depending on when you can secure a spot to get assessed, your company might be at risk of being excluded from contracts depending on when a CMMC assessment certificate becomes a requirement.

Why Procrastinate?

CMMC will go live sooner than we know it. CMMC 1.0 was announced in late 2020. It is now early 2024. Three years have passed, and the light at the end of the tunnel is getting brighter and brighter.

We discussed some high-level reasons why you should start preparing. In the following posts, we will review more specific topics.

Before you go

Here are other posts you might enjoy.



Miguel A. Calles · Serverless CISO

Author of "Serverless Security" · Specializing in CMMC, SOC 2, serverless & engineering.