CMMC 2.0 Rule
The standards for securing Department of Defense information on contractor systems are changing, and businesses must adapt to remain relevant. A significant milestone in this evolution has been reached with the publication of the Cybersecurity Maturity Model Certification (CMMC) 2.0 rule in December 2023. It is now out for public comment.
How CMMC 2.0 Improves on CMMC 1.0
Streamlines the model from 5 levels to 3, increasing clarity.
Aligns the model with the publicly defensible National Institute of Technology Standards (NIST) 800-171, which regulates relevant Controlled Unclassified Information (CUI) for CMMC companies.
Reduces certification costs compared with CMMC 1.0.
Increases accountability and oversight standards.
Timeline for Implementation
Publication: The rule was officially published in December 2023.
Assessment Commencement: Starting in Q1 of 2025, CMMC 2.0 assessments will begin.
Contract Rollout: Phased rollout in contracts will start in Q3 of 2025.
It's crucial to note that many companies could be required to be compliant prior to the phased rollout. This means that readiness should be a priority well before these dates.
Understanding CMMC 2.0 Levels
CMMC 2.0 consists of three levels, with level two being the most common and pertinent for many contractors. Achieving level 2 certification is no small feat; preparation alone can take 9-18 months, followed by a potential 6-12 month wait time for certification.
Action Steps for Contractors
If maintaining Department of Defense (DoD) contracts is part of your business model, then the message is clear: Prepare now if you want to maintain DoD contracts under the new cybersecurity rules. Prime contractors will prioritize certified partners, making early compliance a competitive advantage. Get help from an organization that can accelerate your implementation and reduce risk.
Step 1: Engage an RPO:
In the cybersecurity certification process for CMMC 2.0, an RPO (Registered Provider Organization) offers advice and support to companies seeking compliance.
Step 2: Engage a C3PAO:
A Certified Third-Party Assessment Organization (C3PAO) is an organization that has been accredited by the CMMC Accreditation Body to conduct cybersecurity assessments for defense contractors.
When looking for a partner, consider the following criteria:
Expertise in Cybersecurity Compliance: An organization should have a deep understanding of the CMMC 2.0 requirements and be able to offer advice and support tailored to these standards.
Accreditation Status: Ensure that the organization is officially registered and recognized by the CMMC Accreditation Body. This ensures they are up-to-date with the latest guidelines and practices.
Experience with Similar Organizations: Look for an organization that has experience working with companies similar to yours in size, industry, and cybersecurity needs.
Services Offered: For an RPO, determine what specific services they provide. They should be able to assist with the entire compliance process, from gap analysis to implementation support. C3PAO’s should also be able to answer questions and offer support throughout the certification process.
Reputation and References: Research their reputation within the industry. Seek testimonials or case studies from previous clients to gauge their effectiveness and reliability.
Understanding of DoD Requirements: Since the Department of Defense's standards are stringent, the organization should demonstrate a clear understanding of these requirements.
Communication and Reporting: Effective communication is key. The organization should provide clear reporting on your compliance status and any issues that need addressing.
Cost Structure: Understand their fee structure and ensure it aligns with your budget and the scope of services provided.
Long-term Support: Post-certification, you may still require support. Check if the organization offers ongoing services to maintain compliance.
Understands Culture: Working with an organization that understands how you function streamlines your collaboration process.
Business Risk: An organization that goes beyond technical risk to understand business risk can be a valuable asset in the certification process.
Employee Impact: Technology takes a toll on every person. Seek out an organization that understands how technology impacts the way people work.
The hurdles may seem daunting, but take heart. We've helped organizations assess compliance and accelerate implementation in as little as three months.