On August 15, 2024, the DoD published a second proposed rule for CMMC 2.0. This rule provides additional guidance to contracting officers, including standard clauses for contracts covered by CMMC 2.0. The CMMC rule is expected to be finalized in early 2025, and once finalized, a 4-phase rollout will occur over a 3 year period. While the phased rollout provides some time for preparation, contractors should be proactively working towards compliance NOW.
What is the current 4-phase CMMC 2.0 rollout schedule proposed by the DoD?
On February 26, 2024, public comments on the CMMC rule published in the Federal Register on December 26, 2023 were completed. It is currently expected the finalized CMMC rule will be in effect in early 2025.
Subject to finalization of the CMMC rule, federal contracts involving FCI or CUI will be required to demonstrate CMMC compliance by October 1, 2026.
At this time, the CMMC program is proposed to roll out in four phases:
CMMC Level 1 and Level 2 self-assessment requirements will be rolled out for new solicitations and contracts that involve federal contract information (FCI) or where the controlled unclassified information (CUI) is of a less sensitive nature.
Six months later, CMMC Level 2 requirements will be rolled out for contracts that require third-party certification.
CMMC Level 3 compliance will take effect, which will start one year after Phase 2. The DoD will perform these Level 3 assessments.
One year after the start of Phase 3, this phase will involve full implementation of CMMC requirements in applicable solicitations and contracts.
The Department of Defense (DoD) has established an assessment process for CMMC 2.0 to ensure their defense industrial base (DIB) contractors are protecting the DoD’s sensitive information adequately.
CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Directly below is a chart illustrating CMMC’s tiered assessment process with detailed explanations beneath the chart.
As described on the DoD’s Chief Information Office website, here is additional information to help you understand the CMMC 2.0 assessment process and requirements.
Self-Assessments: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
Third-Party Assessments (C3PAO): Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
Government-Led Assessments: The highest priority, most critical defense programs (Level 3) will require government-led assessments.
The Department views Level 1 as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Self-assessments will suffice to meet CMMC Level 1 requirements. Likewise, a subset of programs with Level 2 requirements do not involve information critical to national security, and associated contractors will be permitted to meet the requirement through self-assessments.
Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.
The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.
The defense industrial base (DIB) company will be responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.
The DoD intends for CMMC 2.0 Level 3 cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.
The CMMC Academy, powered by Celerium, delivers tangible, FREE CMMC 2.0 benefits. Its services, experts and content help prepare your business to do business with the Department of Defense.
As an academy member, you can:
As a member of the CMMC Academy, you enjoy these benefits and more.
The team at Celerium understands your organization needs to demonstrate its compliance with CMMC and NIST standards.
To help you do that, we have created and curated the content in our CMMC Insights Courses based on our years of experience implementing compliance standards such as NIST SP 800-153 and 800-171. Our courses will ready your organization for its CMMC assessment.
Here’s how a beta user of our courses characterized their value ...
“The course absolutely helps to better prepare for an assessment by pointing out what an assessor will most likely look for. Although I downloaded all the CMMC documentation when it became available, the course provided a much better perspective on what to focus on.”
A course beta test
Copyright © 2022 Celerium. All Rights Reserved.