CMMC 2.0 – Waiting on the Final Rule Can Have Consequences

Modified on: February 13, 2023

CMMC Model 2.0 was announced in 2021 and will be implemented very soon. 

The Rules:

  • Part 32 of the Code of Federal Regulations (CFR) (Federal Acquisition Rules) (FAR)
  • Part 48 of the CFR (Defense Federal Acquisition Regulation Supplement) (DFARS)

All DoD contractors will be required to comply once rulemaking is final. A public comment period will last through May 2023, and DoD solicitations will include CMMC requirements.

Although rulemaking will not be final until this time, the DoD encourages contractors to continue improving their cybersecurity posture during the interim period while the rulemaking is underway.


Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. The rulemaking finalization may catch some DoD contractors off guard if the prerequisites still need to be completed. CMMC certification must meet the prerequisites to be achieved.

The CMMC Ecosystem will be stretched and could be a mad rush to the finish line once final rulemaking is completed. If you have not already, start the journey with the DFARS clauses. Doing nothing is not a plan; it’s risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.

Minimum Regulatory Requirements Before CMMC Certification