As of January 11, 2023, this was the official statement on the dodcio.defense.gov website: UPDATES TO THE CMMC WEBSITE WILL BE LIMITED DURING THE CMMC 2.0 RULEMAKING PROCESS.

And their own answer to their own posted question of "When will CMMC 2.0 be required for DoD contracts? "The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.”

Also, it’s important to note the enormous scope implications to the broader DIB. Per the DoD Chief Information Officer, “DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.”

This we do know - CMMC is finally on its way and hundreds of thousands of companies within the broader Defense Industrial Base (DIB) need to start taking measures to comply with CMMC. 

Arlington offers the following CMMC solutions to federal contractors:

• Scoping & Gap Assessments
• Remediation & Documentation
• System Security Plan (SSP)

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com.