The road to CMMC compliance may seem long and difficult, but this guide makes it much less daunting by explaining each and all steps contractors need to take to prepare for it, achieve it, and maintain it.
Enter your email address to receive the guidebook.
Guidebook Topics Include:
- Introduction
- What Is CMMC 2.0?
- CMMC Timeline
- What Are the CMMC 2.0 Certification Levels?
- How to Determine Which Level Applies to You?
- What Is the Difference Between FCI and CUI?
- What Is the Difference Between NIST SP 800-171 and CMMC 2.0?
- Third-Party Certification
- Mandatory Certification
- What do contractors Need to Know About Cybersecurity FAR and DFARS?
- CMMC Accreditation Body and Ecosystem
- How to Prepare for a CMMC 2.0 Assessment?
- What Does a third party CMMC 2.0 Assessment Involve?
- External Service Provider Considerations
- Cloud Service Provider Considerations
- How to Ensure Ongoing Compliance?
- Designate a Compliance Position
- Maintain Policies and Procedures
- Maintain Technical Capabilities
Download DoD Contractor’s Guide to CMMC 2.0 Compliance
“The new CMMC 2.0 framework is taking the defense industry by storm and there is a lot of confusion about what it involves and who it applies to. Our goal is to try to simplify all of the information on CMMC 2.0 into a clear and consolidated guide for DoD contractors.”
CMMC Timeline
The most important CMMC dates include:
- January 2020 – The introduction of CMMC Version 1.0.
- April 2021 – The first C3PAO’s begin to be assessed against CMMC Level 2 (previously CMMC 1.0 Level 3) by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). C3PAO’s must pass their own Level 2 assessment before being able to conduct assessments themselves.
- November 2021 – The DoD review of the CMMC program is concluded, CMMC v1.0 is effectively terminated and replaced by CMMC 2.0.
- December 2021 – CMMC v2.0 model documentation and assessment guides released.
- January 2022 – December 2023 – Rulemaking underway while DIB contractors prepare for CMMC 2.0 requirements.
- December 2023 – 32 CFR CMMC 2.0 DFARS rule released for public comment, along with supporting documentation including CMMC 2.0 assessment and scoping guidelines.
- January 2024 – December 2024 – DoD review and analysis of comments on 32 CFR CMMC 2.0 rule and release of 48 CFR CMMC 2.0 rule for public comment.
- January-March 2025 (Estimated) – The CMMC 2.0 rule takes effect requiring self-assessment and attestation for all new contracts. Self-attestation will be replaced by third party (C3PAO) assessment requirements as the assessment ecosystem ramps up.
- July-September 2025 (Estimated) – Third party (certification) assessment requirements introduced at Level 2.
- July-September 2026 (Estimated) – Third party certification requirements are introduced for the exercise of options to extend existing contracts.
- July-September 2027 (Estimated) – Rollout concludes with CMMC 2.0 requirements now included in all DoD solicitations and contracts.
Excerpt From DoD Contractor’s Guide to CMMC 2.0 Compliance
“Eventually, all DoD contractors and subcontractors that handle FCI or CUI will be required to meet CMMC 2.0 requirements, documented either by third party assessment or self-assessment & attestation. Only contractors that provide commercial-off-the-shelf products and don’t handle any CUI won’t be required to achieve one of the three levels of compliance. ”