top of page
We Deliver Exceptional Services to Industry and Commercial
What is CMMC?The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC 2.0 is broken down into 3 levels of certification ranging from basic to advanced. Additionally, CMMC requires a third-party assessment and certification on a subset of Level 2 contracts.
What type of deliverables or documentation does CMMC require?It is a requirement of CMMC to provide a System Security Plan as well as policies and procedures on how you implement the practices found in CMMC. The auditor will most likely need to provide a Report on Compliance, like that of PCI and FedRAMP. If you are submitting a self-assessment for Levels 1 or 2 you will need a System Security Plan to claim compliance.
How do I prepare for CMMC certification?Two steps to get your company underway: Get NIST 800-171 documentation out of the way. This will get you through many of the CMMc Level 2 requirements and keep you compliant with the current DFARs clause. Be ready to address any gaps you find and implement solutions to remediate them. It is still unclear whether your organization will need to obtain a third-party audit and certification or if you’ll be able to self-assess and submit the results manually.
What can I expect in order to be Level 2 certified?This new version of CMMC contains a slimmed down tiered model of only 3 levels of compliance/certification. Level 1 is considered Foundational. Level 2 is “Advanced” with 110 practices. Level 2 will be split into two groups. Those who have been deemed to work with critical national security information will need to obtain a certification with a C3PAO, like us.
When can I expect to see CMMC in contracts?CMMC will take some time to make it into actual DoD contracts. It must first go through the rulemaking process. This involves DoD pursuing rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. In addition to the time that will take, both rules will have a public comment period. In other words: It is unclear how long it will take for CMMC 2.0 to take effect. It has been estimated to take as long as 9 – 24 months until you see a CMMC requirement in any solicitation. In the meantime, you should prepare by working with an assessor like us.
bottom of page