DOGE and CMMC
The Cyber AB informed C3PAOs that the feedback from a February 2025 meeting between Ms. Arrington and the Department of Government Efficiency DOGE indicates that the CMMC program is viewed as a good use of non-taxpayer funds. While the DOGE feedback is preliminary and not a final determination, it reinforces the importance of the CMMC as THE cybersecurity framework to protect CUI and maintain our global military-technological supremacy. The CMMC program remains a DoD priority. This is a significant acknowledgement for the DIB and reinforces the importance of moving forward with CMMC implementation and certification.
Why Early Certification Matters
As a Defense Industrial Base (DIB) organization, you’re working diligently to implement your Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance program. We understand your concerns regarding timing and the evolving regulatory landscape, especially in light of the daily news about DOGE restructuring entire government agencies. This article will clarify the current situation and explain why pursuing your CMMC Level 2 certification now is a critically important strategic move.
Understanding the CMMC Level 2 Final Rule
The definitive guidance for CMMC is now published in 32 CFR Part 170, which became effective December 16, 2024. The framework is established and based on NIST 800-171 R2: Consider it “Chiseled-In-Granite.” This regulation outlines all applicable requirements and guidance documents. As a Certified Third-Party Assessment Organization (C3PAO), KLC Consulting is authorized by the Department of Defense (DoD) and Cyber AB to conduct assessments and certify DIB organizations against these requirements.
When Will CMMC Be Required in Contracts?
While 32 CFR establishes the requirements, 48 CFR (specifically DFARS 252.204-7021) is where the DoD mandates CMMC through contract clauses. The 36-month phase-in requirement for CMMC within contracts will begin once 48 CFR is updated – anticipated August 2025. However, it’s crucial to note that the DoD may also selectively require CMMC prior to this update, as seen with initiatives like ARMY MAPS. Therefore, waiting for the formal 48 CFR update and the ensuing 36-month phase-in is not a prudent strategy.
NIST 800-171 Rev 2 vs. Rev 3: What You Need to Know
The DoD is currently looking at implementing NIST 800-171 Rev 3 into CMMC. While Rev 3 adds approximately 26% more requirements, the current 32 CFR final rule adheres to Rev 2. The DoD isn’t concerned DOGE might upend or significantly modify the CMMC program.
- Certification Validity: Certifications under Rev 2 remain valid for three years.
- Cost Considerations: Pursuing certification under Rev 2 now is advantageous, as future Rev 3 certifications will be more expensive.
- Rev 3 Timeline: While a firm date is not set, the Rev 3 requirement is anticipated sometime in 2026, subject to a to-be-determined grace period.
Why Early CMMC Level 2 Certification Is Crucial
The DoD estimates that 76,598 companies require Level 2 certification (Table: 32 CFR Part 170, p. 86). The low number of C3PAOs translates to an overwhelming workload per C3PAO. A bottleneck is forming, which is another very good reason to schedule your Assessment asap, even if it’s later in 2025 or early in 2026.
Table 8 – Number of Companies Requiring Certification Over CMMC’s Phase-In
| Year | Level 1 Self-Assess | Level 2 Self-Assess | Level 2 Certification | Level 3 Certification | Total |
| 1 | 945 | 27 | 517 | 4 | 1493 |
| 2 | 4720 | 136 | 2599 | 50 | 7505 |
| 3 | 15748 | 453 | 8666 | 169 | 25036 |
| 4 | 30184 | 867 | 16610 | 323 | 47984 |
| 5 | 30179 | 867 | 16606 | 323 | 47975 |
| 6 | 30179 | 867 | 16606 | 323 | 47975 |
| 7 | 27246 | 783 | 14994 | 295 | 43318 |
| Total | 139201 | 4000 | 76598 | 1487 | 221286 |
Key Benefits of Early Certification:
- Avoid Delays: Secure your certification before the bottleneck forms.
- Cost Savings: Lock in current pricing before potential increases associated with Rev 3.
- Competitive Advantage: Demonstrate your commitment to cybersecurity and gain a competitive edge in bidding for DoD contracts.
- Proactive Approach: Show your dedication to protecting Controlled Unclassified Information (CUI).
Our C3PAO Services: Getting You Certified in CMMC Level 2
At KLC Consulting, we streamline the CMMC Level 2 certification process. To begin, we only require a signed MNDA/Contract and a $5,000 deposit. You won’t need to make further payments until we begin the CAP Phase 1 preassessment activities. We also offer flexibility in scheduling should your dates need to change.
Continued DoD Support for CMMC
The DoD’s commitment to CMMC is further emphasized by the recent return of Katie Arrington to the Pentagon, in a new role as chief information security officer (CISO) at the Defense Department Office of the Chief Information Officer.
Given her prior, highly visible role in the initial CMMC program rollout, her return is viewed by many as a strong indicator of continued, and potentially accelerated, support for the CMMC initiative.
Choose Us for Your CMMC Level 2 Certification Assessment
KLC Consulting distinguishes itself by advocating for your CMMC success. We use our professional discretion within CMMC requirements to recognize your security practices and acknowledge your documented commitment. We foster a positive path to CMMC certification. We’re not “gotcha” auditors looking to fail you. Choose KLC Consulting, a C3PAO that values your success.
Let’s Talk
Want an instant price quote for your Assessment? Get an instant price quote for your assessment. Our website has a new price quote page available HERE.
And use our convenient Calendly link to schedule a call to discuss particulars and reserve your spot on our Assessment Calendar.
We look forward to discussing your CMMC Level 2 Certification Assessment with you.
