I’ve covered that The Defense Department has officially finalized the Cybersecurity Maturity Model Certification, or CMMC, outlining essential contractor guidelines. Eric Crusius, an attorney at Holland Knight, emphasized that this finalized rule clarifies what contractors must do to achieve compliance. There are currently between 50 to 60 assessors available to handle the anticipated 76,000 companies needing evaluation, indicating a potential rush for assessments as deadlines approach. Crusius noted that while compliance does not guarantee immunity from cyber incidents, it significantly enhances protection against them. He predicts that the second rule to operationalize CMMC could be released by the end of the first quarter of 2025, moving swiftly after a year of extensive commentary and feedback on the current rule.
Why do we care?
With up to 76,000 companies needing to undergo CMMC evaluations and only 50-60 certified assessors currently available, the demand for compliance preparation is set to surge. CMMC readiness services—such as gap assessments, remediation plans, and ongoing monitoring – are a potential area of expansion. The possibility of a second rule coming as early as Q1 2025 means that CMMC requirements could evolve quickly, making this an ongoing need.
