CMMC 2.0
Welcome to the CMMC ACADEMY!
DoD released the official version of CMMC 2.0.
What does it mean for defense suppliers?
The Department of Defense (DoD) has scheduled CMMC 2.0 to become an Interim Rule in March 2023. If your company wants to win DoD contracts, you will have to be CMMC 2.0 compliant at the time of the contract award.
Here are some of the important specifics you need to know.
Current Rollout Schedule for CMMC 2.0
- Starting in August 2022, DoD contractors who handle controlled unclassified information (CUI) can volunteer for a joint-surveillance CMMC assessment.
- Those CMMC assessments will be conducted by accredited, third-party assessment organizations (C3PAOs) with the oversight of the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) authorities.
- These first voluntary assessments will be based on the CMMC’s Accreditation Body’s (The Cyber AB) pre-decisional draft of the CMMC Assessment Process guide (The Cap Guide) .
- If Organizations Seeking Certification (OSCs) pass the voluntary assessment (which is equivalent to a DIBCAC NIST 800-171 High Assessment), they will receive a CMMC Level 2 certification after CMMC rulemaking is done, which is anticipated to be March 2023. Any OSC that passes the voluntary assessment will not have to recertify for 4 years.
- Beginning in December 2022, the DoD will cement its November 2020 DFARS Interim Rule into a Final Rule. That means the enforcement of defense contractors’ compliance with NIST 800-171 will be under increased scrutiny.
- The DoD also indicated that CMMC 2.0 is scheduled to become an Interim Rule in March 2023. This expedited timeline means that defense contractors need to act now to protect the controlled unclassified information (CUI) they handle for the DoD to comply with the DoD mandates.
CMMC Assessments
The 47-page CMMC Process guide (the CAP Guide) outlines the assessment process for organizations seeking certification (OSCs) at CMMC Level 2 certification, the required level for all DIB contractors who expect to receive or store Controlled Unclassified Information (CUI).
The CAP Guide states that Level 2 assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs). You can find authorized C3PAOs in good standing on The Cyber AB’s marketplace. The CMMC AB will only accept assessments from authorized C3PAOs that are in good standing, so it is important to confirm authorization and standing status before beginning the assessment process.
OSCs must designate an Assessment Official (AO) and Point of Contact (POC) for the CMMC assessment. The AO should be a senior representative of the contractor who is a decision-maker responsible for leading the OSC’s CMMC assessment. The POC should provide the daily coordination and liaison support between the OSC and the C3PAO assessment team.
The CAP Guide also directs that only the parts of the OSC’s work involving DoD contracts and accessing controlled unclassified information needs to be assessed. In some organizations, this direction would require the entire organization be assessed, and in other organizations, only a division or operational unit would require assessment. Additionally, OSCs should inform their C3PAOs of any third-party personnel, procedures or technologies they rely on to perform DoD contracts.
One of the most frequent questions defense contractors ask is related to scoring. As outlined in the CAP Guide under sections 2.3.2 and 2.4.1, limited plans of action and milestones (POAMs) are permitted, but contractors must achieve a minimum assessment score or 80% or 88 out of a total of 110 points per CMMC practice CA.L2-3.12.2. And none of the high-weighted (3 or 5 points) practices are eligible to be on the contractor’s POAM list. For scoring specifics related to the weighting of practices, refer to NIST 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020. Here is the link.
Our CMMC Academy team strongly recommends you read the draft version of the CAP Guide carefully, and be sure to send any comments to the The Cyber AB/DoD.
CMMC Academy Amplifies Your CMMC 2.0 Efforts
The CMMC Academy, powered by Celerium, delivers tangible, FREE CMMC 2.0 benefits. Its services, experts and content help prepare your business to do business with the Department of Defense.
As an academy member, you can:
- Tap into our cybersecurity experts by emailing your general questions on CMMC 2.0 and NIST 800-171 to our hotline.
- Access our online reference guide and tools that help you navigate and implement the required frameworks.
- Stay current on the latest CMMC news by reading our monthly newsletter with all the top stories researched and curated for you.
- Prepare for CMMC certification productively by using our CMMC Insights Courses.
As a member of the CMMC Academy, you enjoy these benefits and more.
View Our latest Video:
Latest Video: CMMC 2022 Spring Update
The ever-evolving rollout of CMMC 2.0 may have you wondering if your understanding of the 2.0 program is up to date. To level set you on the 2.0 program and requirements, practices, and processes, please watch this video. Celerium's Cheif Operations Officer, Chris Cundel, provides what you need to know, and do, to enable your company to do business with the DoD.
Presented by
CMMC Academy Sponsors
international alliance members
Learn more about CMMC Here.
Sponsored by Celerium
CMMC Insights: Training on Implementation by Implementers
These online-only courses provide CMMC training to companies looking to comply with CMMC. The courses are created by an experienced team of cybersecurity implementers with years of experience on NIST standards.
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.