Version 1 of the much anticipated Cybersecurity Maturity Model Certification (CMMC) framework was release by the Pentagon on January 31. Many news outlets are reporting that, “All DoD contractors must be certified by 2025.” This is a correct statement, but a misleading timeline.
Starting in June of 2020, all newly issued RFQs will require CMMC compliance (likely level 1 or 2) in order to receive the Federal Contract Information required to participate in the bidding process.
Since multi-year Federal contracts are limited to 5 years, by 2025 all DoD contracts will have cycled through under the new rules, making this statement true. If you are a contractor or sub that would like to participate in any contract issued or renewed after June 2020, you will need to be certified to be considered. This includes rebidding incumbents and sole-source suppliers.