With the DoD announcement of CMMC 2.0 on November 4, 2021, many companies in the Defense Industrial Base (DIB) are wondering whether CMMC still applies to their future government contracts.
Five levels were initially introduced in CMMC 1.0, although Level 2 and Level 4 were expected to be transitional steps.
CMMC 2.0 uses only three levels:
from Acquisition & Sustainment, Office of the Under Secretary of Defense
Initially, CMMC did not allow for self-certification at any level.
This has changed in CMMC 2.0.
For each level, certification is expected to work as follows in CMMC 2.0:
Level 1 – all Level 1 companies can self-certify
Level 2 – a subset of Level 2 companies will be able to self-certify, and others will need to hire an outside assessor (C3PAO) to perform an assessment
Level 3 – all Level 3 companies will require an assessment by the government
Contractors that only need to meet Level 1 of CMMC are those that are protecting Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
FCI is information not intended for public release that is provided by the US government under a contract to develop or deliver a product or service to the government but not publicly available information, such as on websites
CUI is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls
Certified Third-Party Assessment Organizations (C3PAO) will continue to be part of the CMMC ecosystem and provide assessments to some organizations seeking Level 2 compliance.
Since all Level 1 companies will be able to self-certify, as well as some Level 2 companies, fewer assessments will require a C3PAO.
Plans of Action with Milestones (POA&M) serve as written plans of how an organization will meet compliance in the future. POA&Ms were used by companies to show compliance with NIST SP 800-171 but were not originally sufficient to show compliance with CMMC.
In CMMC 2.0, it is expected that POA&Ms will be an acceptable form of remediation for certain CMMC practices.
Even without knowing if you will be able to use a POA&M to show CMMC compliance, POA&Ms are of value to all companies in strengthening their security posture, as are System Security Plans (SSP).
The DoD is still moving forward with CMMC.
The CMMC Accreditation Body (CMMC-AB) continues to have an exclusive contract with the DoD authorizing the CMMC‑AB to operationalize CMMC assessments and training.
The Supplier Performance Risk System (SPRS) will continue to be used by contractors not handling CUI (Level 1 and some Level 2) to register self-assessments and affirmations.
The new iteration of CMMC still aligns with the original goal of protecting information in government supply chains, and also:
By minimizing barriers to compliance, CMMC 2.0 makes it easier for contractors to adopt cybersecurity controls and meet the compliance requirements.
Your costs to comply with CMMC will vary based on the contract requirement for your CMMC level and the complexity of your IT infrastructure.
But compared to the first iteration of CMMC, costs to comply across the DIB will be lower due to the number of companies that will not require an assessment by a C3PAO (Level 1 and some Level 2 companies).
The CMMC requirement will not be included in any DoD contract until CMMC 2.0 is finalized and rulemaking is completed, which is expected to take 9-24 months from the date of announcement on November 4, 2021.
With the announcement of CMMC 2.0, the DoD has issued guidance for ways a DIB company can become more secure.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.
Corserva has created an easy process to enable you to get ready for a CMMC assessment and comply with CMMC.
Corserva offers: