CMMC 2.0: Phased Implementation Begins This Year. Are You Ready?

January 9, 2023

After long, drawn-out conversations about when it will happen, it appears a timeline has finally been established for implementing the Cybersecurity Maturity Model Certification (CMMC) v. 2.0. 

CMMC is a part of the Defense Federal Acquisition Regulation Supplement (DFARS) and establishes compliance standards for organizations that access controlled unclassified information (CUI) looking to bid on or renew Department of Defense (DoD) contracts. It’s derived from other industry-recognized cybersecurity frameworks such as NIST 800-171, NIST 800-53, ISO 27031, and ISO 27032 and covers standards for everything from access control to system integrity.  

The first version was released in February 2020, but after receiving agency and contractor feedback about the original standards, the DoD adjusted and issued a new implementation timeline. While there are many changes from 1.0 to 2.0, among the most noted is that the newest version decreases the original five certification levels down to three and includes other changes to address the evolving threat landscape and align with other industry standards. 

Initially, CMMC requirements were thought to be included in all new contracts by October 2025. However, after soliciting feedback and going through the rule-making process, it appears CMMS 2.0 may not appear in solicitations until May 2023, which would be about 60 days from the anticipated rules finalization date sometime in March 2023. 

While this process is ongoing and could again change, now is not the time for organizations to sit back and wait to see what happens next. Instead, if you believe you’re going to work with the DoD on these contracts, you may already be behind the eight ball if you haven’t started yet.  

So, what can you do? Here are 4 suggestions to help ensure you’re on the right track when phased implementation begins. 

  1. Know your CMMC certification level and understand requirements. The level of CMMC certification you will need depends on various factors, including the complexities of your DoD contract and CUI access. All organizations must be compliant with CMMC 2.0 at least at certification level 1. Depending on the type of CUI access and sensitivity, you may need certification at level 2 or 3. Once you’ve determined the right certification level for the types of contracts you want to pursue, make time to carefully review and understand what those requirements are and what’s expected. 
  2. Conduct a current assessment. A great starting point to see what you need to do to meet CMMC 2.0 requirements is to assess where you are with those requirements now. Consider this your current CMMC 2.0 posture and use it as a baseline to build your program to where it needs to be based on the impending phase-in timeline. This is also good practice if your organization falls into a certification level that will require a self-assessment. 
  3. Identify gaps and address them. Once you’ve conducted your assessment, use that assessment to identify gaps in your existing controls and make plans to address them so you’re on the right track when it’s time to pursue certification. Also, don’t forget to document all of your controls. If you don’t have that documentation, you might not get credit for those controls and fail to achieve certification. 
  4. Work with a CMMC consultant. To ensure you’re well on your way to CMMC 2.0 certification, consider working with a consultant who specializes in CUI security frameworks. You may also want to work with a CMMC-certified third-party assessment organization to help you get ready for the journey ahead

Follow along in our 12 Days of Cybersecurity on our LinkedIn. Learn more about how Apptega can simplify day-to-day cybersecurity and compliance management and schedule a custom tour of the Apptega platform.