At Justice IT Consulting, we attend the Cyber AB Town Halls on behalf of our clients and followers to stay on top of the latest developments in cybersecurity compliance. These town halls provide crucial updates on policies, processes, and timelines that can directly affect your business, especially if you’re navigating the CMMC or NIST 800-171 compliance landscape. We know that compliance can be complicated and the information shared in these events can be overwhelming. That’s why we take the time to break down the key takeaways into clear, actionable insights—so you know exactly what’s happening, what you need to be aware of, and what steps to take next. Our goal is to make this information not only accessible but also immediately usable for your business. If you have any questions or need further guidance, we’re always here to help!

What Happened:

1. 32 CFR Final Rule Implementation & Background Check Challenges

The 32 CFR Final Rule was officially published in the Federal Register and took effect on December 16, 2024. This finalization paves the way for CMMC 2.0 certification assessments, but there are hurdles:

• Individuals seeking Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) credentials must complete Tier 3 background checks.

• These background checks are facing long delays, with processing times ranging from 4 to 10 months.

• Candidates who miss communication attempts from the Washington Headquarters Services (WHS) may have to restart the process, adding further delays.

2. 48 CFR Rule – Still in Proposed Status

The 48 CFR Rule, which will require CMMC certifications on new contracts, is still under review. The timeline for its finalization has been pushed back, with an estimated mid-2025 release. Once finalized:

• New DOD contracts will begin to require CMMC Level 2 certifications.

• Prime contractors may start imposing these requirements earlier, urging subcontractors to certify in advance.

3. New FAR CUI Rule – Expanding CMMC Beyond DOD

The FAR CUI Rule has now been published, marking the first step towards extending CMMC-style compliance to the broader federal government. This means:

• Agencies outside the DOD will now be required to identify, protect, and manage Controlled Unclassified Information (CUI).

• Future procurement contracts from various federal departments may start integrating CMMC-like requirements.

4. CMMC 2.0 Certification Timeline & Next Steps

With the 32 CFR Final Rule in place and 48 CFR expected in 2025, companies must prepare for CMMC 2.0 assessments. The certification timeline:

• Assessments are available now, but scheduling delays persist.

• CMMC Level 2 certifications are likely to be required on contracts starting mid-2026, but prime contractors may enforce compliance earlier.

• The backlog for Certified Third-Party Assessment Organizations (C3PAOs) is growing. Most assessors are booked 3-6 months in advance.

What Should You Do Now?

• Ensure all security controls are in place and up to date.

• Engage a CMMC consultant to review your documentation.

• Begin the C3PAO assessment process early—delays could leave you unable to bid on new contracts.

• Monitor FAR CUI developments if you work with non-DOD federal agencies.