We get lots of questions about when CMMC 2.0 will be complete. The Department of Defense (DOD) has been in rulemaking for over a year, and it seems likely that the rule will be issued between March and June of 2023. This is right in line with the DOD’s expectation of 18-24 months back when they announced CMMC 2.0 in the fall of 2021.
Remember, if you are working with Controlled Unclassified Information (CUI) on DOD contracts you already have DFARS flowing down to your organization. These DFARS require you to have a security program that meets the requirements of NIST SP 800-171.
Once implemented, CMMC 2.0 Level 2 will further increase enforcement of NIST SP 800-171 with two key requirements, including:
1. The current self-attestation will be replaced with an independent third-party assessment conducted by an accredited C3PAO (certified third-party assessment organization) conducted every three years.
2. Company SPRS scores from annual self-assessments of NIST SP 800-171 compliance will need to be signed off by a company executive who will be held accountable for the validity of the score.
Here's what we are expecting from CMMC 2.0:
• The three levels (reduced from five) are based on the type of information your organization gets or produces for the DOD. Assessment criteria increases as the sensitivity of the information increases.
• The new rule will allow for a Plan of Action & Milestones (POA&M) with up to 180 days to resolve your open items.
• DOD contracts will start to call out CMMC requirements in 2023.
What does this mean for you?
It is a mistake to confuse your current NIST SP 800-171 requirements and the CMMC program. If you currently do work for the DOD that involves handling CUI, then you have a contractual obligation to implement the NIST SP 800-171 security controls today.
Your first step should be to document your System Security Plan (SSP) and Plan of Actions & Milestones (POA&M). Next, conduct an independent NIST SP 800-171 assessment with an accredited CMMC Registered Practitioner Organization (RPO) to determine your actual supplier performance risk system (SPRS) score, as your prime contractors will be looking to understand your true cybersecurity maturity posture.
About AXIOTROP, LLC:
AXIOTROP is an accredited CMMC Registered Practitioner Organization whose mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.