The latest Cyber AB Town Hall gave us some key updates on the Cybersecurity Maturity Model Certification (CMMC) program and what’s next for timelines and accreditation in the defense sector. Here’s a rundown of what was discussed and why it matters for defense contractors and managed service providers (MSPs) working on federal contracts.
Mark Your Calendar: Final CMMC Rule Kicks Off This December!
The final CMMC rule is set to go live on December 16, 2024, despite being under Congressional review. This date marks a critical checkpoint for compliance, as the DoD will review public comments on Title 48 in early to mid-2025. The message is clear: defense contractors need to have their CMMC compliance in order by year’s end to stay on track.
Welcoming The Cyber AB’s New Director of Accreditation
The Cyber AB introduced Steve Medellin as the new Director of Accreditation. With over 20 years in cybersecurity, Steve will play a central role in maintaining high accreditation standards as the Cyber AB continues to advance its CMMC mission.
CEIC East: Demand Surges for Training & Networking
This month’s CEIC EAST event will be a big one, with over 550 participants, 49 sponsors, 38 exhibitors, and 35 speakers registered. Attendees can look forward to pre-conference training, including CCP and CCA certification prep. The packed turnout reflects the industry’s growing commitment to achieving CMMC certification.
New Compliance Protocols for CMMC Assessors
The Cyber AB announced updated requirements for Certified CMMC Assessors (CCAs) and Lead CCAs. Starting November 4, current and future CCAs will receive emails outlining new requirements: at least three years of cybersecurity experience and one year of auditor experience. Those meeting the criteria can undergo a manual review to confirm their status before the December 16 deadline.
Updated Responsibilities for Defense Contractors Using MSPs
If you’re a defense contractor using an MSP, take note. New guidance now clarifies that while MSPs don’t need Level Two assessments, contractors are responsible for ensuring that MSP environments meet Level Two requirements if they’re hosting contract-critical data. Contractors need to confirm that their MSPs comply with FedRAMP Moderate standards or equivalent.
Certification and Delta Training Updates
The Cyber AB has introduced Delta training and testing for CCP and CCA certifications. Delta exams give certification holders an additional option to stay compliant, offering a “recognition of achievement” document and a marketplace badge for those who pass.
System Changes and New Assessments
There were also some pointers on when system changes could trigger new CMMC assessments. The DoD will be keeping an eye on the systems used for contract work, so contractors should monitor compliance closely to avoid any setbacks.
Compliance Standards Going Forward
The Cyber AB emphasized the current adherence to Revision 2 of NIST SP 800-171, with future adjustments expected as Revision 3 undergoes rulemaking. Additionally, the Cyber AB clarified that while CCPs can gain assessment experience, they can’t make final determinations—a step aimed at ensuring consistency across the board.
How Ardalyst Can Help
The CMMC Final Rule is here, there’s no time to waste. Let Ardalyst guide you through this complex process, ensuring that your business is fully prepared. Our Tesseract program is tailored to provide cost-effective, expert-led support to organizations of all sizes working toward CMMC compliance.
Don’t wait—book your introductory call with our experts today and start your path to certification!
