CMMC 2.0
Welcome to the CMMC ACADEMY!
On August 15, 2024, the DoD published a second proposed rule for CMMC 2.0. This rule provides additional guidance to contracting officers, including standard clauses for contracts covered by CMMC 2.0. The CMMC rule is expected to be finalized in early 2025, and once finalized, a 4-phase rollout will occur over a 3 year period. While the phased rollout provides some time for preparation, contractors should be proactively working towards compliance NOW.
What is the current 4-phase CMMC 2.0 rollout schedule proposed by the DoD?
Current Rollout Schedule for CMMC 2.0
On February 26, 2024, public comments on the CMMC rule published in the Federal Register on December 26, 2023 were completed. It is currently expected the finalized CMMC rule will be in effect in early 2025.
Subject to finalization of the CMMC rule, federal contracts involving FCI or CUI will be required to demonstrate CMMC compliance by October 1, 2026.
At this time, the CMMC program is proposed to roll out in four phases:
Phase 1
CMMC Level 1 and Level 2 self-assessment requirements will be rolled out for new solicitations and contracts that involve federal contract information (FCI) or where the controlled unclassified information (CUI) is of a less sensitive nature.
Phase 2
Six months later, CMMC Level 2 requirements will be rolled out for contracts that require third-party certification.
Phase 3
CMMC Level 3 compliance will take effect, which will start one year after Phase 2. The DoD will perform these Level 3 assessments.
Phase 4
One year after the start of Phase 3, this phase will involve full implementation of CMMC requirements in applicable solicitations and contracts.
CMMC 2.0 Assessment Process
The Department of Defense (DoD) has established an assessment process for CMMC 2.0 to ensure their defense industrial base (DIB) contractors are protecting the DoD’s sensitive information adequately.
CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Directly below is a chart illustrating CMMC’s tiered assessment process with detailed explanations beneath the chart.
CMMC Level
Protecting DOD Information FCI & CUI
Assessments
Level 3:
Expert
CUI for DoD’s highest priority programs
Triennial government-led assessment
Level 2:
Advanced
CUI for DoD’s prioritized acquisitions
CUI for DoD’s non-prioritized acquisitions
Triennial assessment by C3PAO
Annual self-assessment and attestation
Level 1:
Foundational
FCI for DoD
Annual self-assessment and attestation
CMMC Level:
Level 3, Expert
Protecting DOD Information FCI & CUI:
CUI for DoD’s highest priority programs
Assessments:
Triennial government-led assessment
CMMC Level:
Level 2, Advanced
Protecting DOD Information FCI & CUI:
CUI for DoD’s prioritized acquisitions
CUI for DoD’s non-prioritized acquisitions
Assessments:
Triennial assessment by C3PAO
Annual self-assessment and attestation
CMMC Level:
Level 1, Foundational
Protecting DOD Information FCI & CUI:
FCI for DoD
Assessments:
Annual self-assessment and attestation
As described on the DoD’s Chief Information Office website, here is additional information to help you understand the CMMC 2.0 assessment process and requirements.
CMMC ASSESSMENT
OVERVIEW
CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor.
Self-Assessments: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
Third-Party Assessments (C3PAO): Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments.
Government-Led Assessments: The highest priority, most critical defense programs (Level 3) will require government-led assessments.
Self-
Assessments
The Department views Level 1 as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Self-assessments will suffice to meet CMMC Level 1 requirements. Likewise, a subset of programs with Level 2 requirements do not involve information critical to national security, and associated contractors will be permitted to meet the requirement through self-assessments.
Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
Third-Party
Assessments
Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC Level 2 assessment for a subset of acquisitions that involve information critical to national security.
The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace.
The defense industrial base (DIB) company will be responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.
Government-Led
Assessments
The DoD intends for CMMC 2.0 Level 3 cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.
CMMC Academy Amplifies Your CMMC 2.0 Efforts
The CMMC Academy, powered by Celerium, delivers tangible, FREE CMMC 2.0 benefits. Its services, experts and content help prepare your business to do business with the Department of Defense.
As an academy member, you can:
- Tap into our cybersecurity experts by emailing your general questions on CMMC 2.0 and NIST 800-171 to our hotline.
- Access our online reference guide and tools that help you navigate and implement the required frameworks.
- Stay current on the latest CMMC news by reading our quarterly newsletter with the top stories researched and curated for you.
- Prepare for CMMC certification productively by using our CMMC Insights Courses.
As a member of the CMMC Academy, you enjoy these benefits and more.
Celerium's CMMC Insights Courses
The team at Celerium understands your organization needs to demonstrate its compliance with CMMC and NIST standards.
To help you do that, we have created and curated the content in our CMMC Insights Courses based on our years of experience implementing compliance standards such as NIST SP 800-153 and 800-171. Our courses will ready your organization for its CMMC assessment.
Here’s how a beta user of our courses characterized their value ...
“The course absolutely helps to better prepare for an assessment by pointing out what an assessor will most likely look for. Although I downloaded all the CMMC documentation when it became available, the course provided a much better perspective on what to focus on.”
A course beta test
Learn more about CMMC here.
