DoD released the official version of CMMC 2.0. What does it mean for defense suppliers?
The Department of Defense (DoD) has scheduled CMMC 2.0 to become an Interim Rule in March 2023. If your company wants to win DoD contracts, you will have to be CMMC 2.0 compliant at the time of the contract award.
Here are some of the important specifics you need to know.
Current Rollout Schedule for CMMC 2.0
Starting in August 2022, DoD contractors who handle controlled unclassified information (CUI) can volunteer for a joint-surveillance CMMC assessment.
Those CMMC assessments will be conducted by accredited, third-party assessment organizations (C3PAOs) with the oversight of the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) authorities.
These first voluntary assessments will be based on the CMMC’s Accreditation Body’s (The Cyber AB) pre-decisional draft of the CMMC Assessment Process guide (The Cap Guide) .
If Organizations Seeking Certification (OSCs) pass the voluntary assessment (which is equivalent to a DIBCAC NIST 800-171 High Assessment), they will receive a CMMC Level 2 certification after CMMC rulemaking is done, which is anticipated to be March 2023. Any OSC that passes the voluntary assessment will not have to recertify for 4 years.
Beginning in December 2022, the DoD will cement its November 2020 DFARS Interim Rule into a Final Rule. That means the enforcement of defense contractors’ compliance with NIST 800-171 will be under increased scrutiny.
The DoD also indicated that CMMC 2.0 is scheduled to become an Interim Rule in March 2023. This expedited timeline means that defense contractors need to act now to protect the controlled unclassified information (CUI) they handle for the DoD to comply with the DoD mandates.
The 47-page CMMC Process guide (the CAP Guide) outlines the assessment process for organizations seeking certification (OSCs) at CMMC Level 2 certification, the required level for all DIB contractors who expect to receive or store Controlled Unclassified Information (CUI).
The CAP Guide states that Level 2 assessments will be conducted by CMMC Third-Party Assessment Organizations (C3PAOs). You can find authorized C3PAOs in good standing on The Cyber AB’s marketplace. The CMMC AB will only accept assessments from authorized C3PAOs that are in good standing, so it is important to confirm authorization and standing status before beginning the assessment process.
OSCs must designate an Assessment Official (AO) and Point of Contact (POC) for the CMMC assessment. The AO should be a senior representative of the contractor who is a decision-maker responsible for leading the OSC’s CMMC assessment. The POC should provide the daily coordination and liaison support between the OSC and the C3PAO assessment team.
The CAP Guide also directs that only the parts of the OSC’s work involving DoD contracts and accessing controlled unclassified information needs to be assessed. In some organizations, this direction would require the entire organization be assessed, and in other organizations, only a division or operational unit would require assessment. Additionally, OSCs should inform their C3PAOs of any third-party personnel, procedures or technologies they rely on to perform DoD contracts.
One of the most frequent questions defense contractors ask is related to scoring. As outlined in the CAP Guide under sections 2.3.2 and 2.4.1, limited plans of action and milestones (POAMs) are permitted, but contractors must achieve a minimum assessment score or 80% or 88 out of a total of 110 points per CMMC practice CA.L2-3.12.2. And none of the high-weighted (3 or 5 points) practices are eligible to be on the contractor’s POAM list. For scoring specifics related to the weighting of practices, refer to NIST 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020. Here is the link.
The ever-evolving rollout of CMMC 2.0 may have you wondering if your understanding of the 2.0 program is up to date. To level set you on the 2.0 program and requirements, practices, and processes, please watch this video. Celerium's Cheif Operations Officer, Chris Cundel, provides what you need to know, and do, to enable your company to do business with the DoD.
CMMC Insights: Training on Implementation by Implementers
These online-only courses provide CMMC training to companies looking to comply with CMMC. The courses are created by an experienced team of cybersecurity implementers with years of experience on NIST standards.
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.
THIS SERVICE AND THE CONTENT THEREIN ARE FOR INFORMATIONAL PURPOSES ONLY, AND ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITH ALL FAULTS, ERRORS, DEFECTS, INACCURACIES AND OMISSIONS. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CELERIUM INC. EXPRESSLY DISCLAIMS ALL WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. CELERIUM INC. MAKES NO REPRESENTATION, CONDITION OR WARRANTY AS TO THE SERVICE OR ANY CONTENT, OR THAT YOUR USE OF THE SERVICE OR ANY CONTENT WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE OR THAT DEFECTS WILL BE CORRECTED. CELERIUM INC. MAKES NO REPRESENTATION OR WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICE OR ANY CONTENT. CELERIUM INC. DOES NOT IN ANY WAY GUARANTEE, AND SHALL NOT BE LIABLE FOR, THE ADEQUACY, QUALITY, ACCURACY, COMPLETENESS, WORTH, OR TIMELINESS OF CONTENT THAT IS MADE AVAILABLE OR OBTAINED BY WAY OF THE SERVICE. CELERIUM INC. MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THE SITE, SERVICE OR THE INFORMATION, CONTENT, MATERIALS OR ANY PRODUCTS OR SERVICES INCLUDED THEREIN. SOME JURISIDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. YOU HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACKUP OF YOUR DATA OR CONTENT AND/OR YOUR EQUIPMENT USED IN CONNECTION WITH THE SERVICE.