At Justice IT Consulting, we attend the Cyber AB Town Halls on behalf of our clients and followers to stay on top of the latest developments in cybersecurity compliance. These town halls provide crucial updates on policies, processes, and timelines that can directly affect your business, especially if you’re navigating the CMMC or NIST 800-171 compliance landscape. We know that compliance can be complicated and the information shared in these events can be overwhelming. That’s why we take the time to break down the key takeaways into clear, actionable insights—so you know exactly what’s happening, what you need to be aware of, and what steps to take next. Our goal is to make this information not only accessible but also immediately usable for your business. If you have any questions or need further guidance, we’re always here to help!

What Happened:

32 CFR Rule Announced:

The 32 CFR Final Rule has now been published in the Federal Register and will officially enter into force on December 16, 2024. Congress will have 60 "session days" beginning January 3, 2025, to review the rule. They can only approve or repeal it entirely, which is unlikely. This finalizes CMMC 2.0 and paves the way for certification assessments to begin, although not yet mandatory.

48 CFR Proposed Rule:

The comment period for the 48 CFR Proposed Rule, which began in August, ended on October 15, 2024. With revisions underway, the final rule may come into effect as early as mid-2025. This rule will initiate the phased rollout of CMMC, beginning with Phase 1.

What You Need To Know:

Implications of the 32 CFR Final Rule:

Starting in December 2024, any major system changes or M&A activity will require reassessment. Additionally, external service providers (ESPs) now only need CMMC L2 Certification if their client's Controlled Unclassified Information (CUI) is stored or processed in the ESP's systems. ESPs without CMMC L2 Certification will be evaluated as part of their client’s assessment.

Timeline for the rollout of CMMC 2.0:

Phase 1 begins when the 48 CFR Rule is finalized in 2025.

Phase 2 starts one year after Phase 1, followed by Phases 3 and 4 each beginning a year after the previous phase.

L2 Certifications may be required on contracts as early as Q1 2026, but this will vary depending on specific contract needs and prime contractors’ needs.

What You Need To Do (Next Steps):

Implications of the 32 CFR Final Rule:

If your business is affected by the 32 CFR Final Rule, now is the time to start preparing for assessments or certification requirements. For those affected by the 48 CFR Rule, begin aligning your systems and practices with the proposed changes.

CMMC Compliance Guide Podcast

A Conversation with an Assessor Featuring Chris Silvers

In the latest episode of the CMMC Compliance Guide podcast, hosts Brooke and Austin Justice welcomed cybersecurity expert Chris Silvers to dive deep into the complexities of CMMC 2.0 assessments. With over 25 years of experience, Chris is one of the few professionals officially certified as both a Certified CMMC Provisional Assessor and Instructor. His credentials and involvement in developing key training courses place him at the forefront of CMMC 2.0 rollout and industry thought leadership.

Click here to watch the latest episode of CMMC Compliance Guide Podcast