About CMMC 2.0
The Office of the Under Secretary of Defense for Acquisition and Sustainment has recently issued a statement that security is foundational to acquisition and its importance should be considered with the same weight as cost, schedule, and performance moving forward.
The Cybersecurity Maturity Model Certification (CMMC) was created to ensure the defense industrial base of government contractors is adequately protected by the adoption of strong cybersecurity practices. Currently, cybersecurity compliance within the defense industrial base is dubious at best.
For contractors not currently in compliance with NIST 800-171, a Plan of Action and Milestones (POAM) can be used to detail a plan to achieve compliance. Under NIST 800-171, POAMs could be used to indefinitely delay compliance. This is no longer the case with CMMC 2.0. Under CMMC 2.0, POAMs are strictly time-limited to 180 days. In addition, many contractors working with CUI will be required to go through a formal assessment by a C3PAO..
CMMC 2.0 certification levels range from “Foundational” (Level 1) to “Expert” (Level 3). At a minimum, any company handling Controlled Unclassified Information (CUI) will be required to meet the requirements of Level 2. To achieve Level 2, a government contractor must fulfill all 110 of the practices and/or controls specified in the NIST 800-171 standard.
Commencing in late 2022 or early 2023, contracts will start to specify the required CMMC 2.0 level. For contracts that require CMMC 2.0 Level 2 or 3, you may be disqualified from participating if your organization is not certified.
Rimstorm can help you prepare for your CMMC 2.0 audit in a number of ways. We can provide a CMMC Cybersecurity Review which will detail all gaps in your processes and/or controls required to achieve CMMC certification. This report will also make recommendations on how to correct these deficiencies. If desired, we can also help fill in the gaps through managed security services and other cybersecurity services.