CMMC 2.0: Changes You Need To Know

The U.S. Department of Defense has been actively working on revising its CMMC (Cybersecurity Maturity Model Certification) program. After much time and deliberation, the CMMC Final Rule was finalized on October 15, 2024, and is set to take effect on December 16, 2024. 

The period for delay is over. For contractors to maintain their contract eligibility and  have the ability to bid on future contracts, they must identify their appropriate level and comply with all the latest guidelines and requirements specified by their level classification. The most significant details finalized in the Final Rule are relevant to the specific requirements for level 3 and certain level 2 contractors, along with an implementation plan allowing current contractors the opportunity to update and meet their new obligations. 

A decision has been reached to finalize the necessary regulations for level 3 and certain level 2 contractors and subcontractors to remain compliant. The DoD recognized the timelines necessary for contractors to fulfill all requirements and has introduced a four-phase implementation plan to be executed over three years.

Level 1 and some level 2 contractors will need to complete a self-assessment, identifying all assets managing any CUI or FCI, ensuring compliance with all cybersecurity regulations, and making necessary updates to meet standards.

Certain level 2 contractors handling more sensitive CUI or FCI must undergo a formal assessment conducted by a C3PAO. This evaluation involves a certified third-party assessor who will identify the assets impacted by the sensitive information, verify that they comply with all cybersecurity regulations, and implement solutions if the assets do not meet the required standards.

Level 3 contractors must undergo a DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) evaluation every three years, in addition to providing an annual affirmation. In addition to the DIBCAC, level 3 contractors are required to achieve a CMMC Level 2 Final Status evaluation conducted by a C3PAO.

The U.S. Department of Defense recognizes the time and financial commitments needed to meet CMMC 2.0 requirements and have determined that it will be implemented through a four-phase plan over a span of three years. 

Phase 1 implementation is set to commence 60 days following the publication of the Final Title CFR CMMC Acquisition Rule, which becomes effective on December 16, 2024. This initial phase will primarily impact level 1 contractors and some level 2 contractors. During this phase, these contractors will need to confirm through self-assessments that they comply with all required criteria to proceed with their contracted work. 

Phase 2 will commence 12 months after phase 1 begins and will impact additional level 2 contractors handling more sensitive or classified information. During this phase, these level 2 contractors are expected to obtain their required certifications. Similarly, phase 3 will start 24 months after phase 1 begins, targeting all level 3 contractors who must have finished all necessary certifications. 

Phase 4 marks the complete implementation stage, commencing 36 months after phase 1 begins. During this phase, all contractors must have fulfilled their requirements and obtained necessary certifications.

For level 1 and specific level 2 contractors or third-party contractors, you have the least amount of time to achieve compliance and stay eligible for the Department of Defense contract. While a self-assessment might appear straightforward, meeting all the assessment's requirements could be more demanding than anticipated.

Identifying the assets that need to be included in the assessment is a challenging undertaking, and it is only the starting point. These assets must subsequently be reviewed, tested, and, if needed, upgraded or substituted to comply with the standards established for level 1 and specific level 2 contractors. 

Don't waste any more time and reach out if you would like to discuss your options or need assistance in understanding the impact of these changes on your business.