8 Things You Should Know About CMMC 2.0

Cybersecurity Maturity Model Certification (CMMC) version 2.0 is coming. And when the Final Rule is published, CMMC will become the eligibility requirement for an organization to compete for a federal defense contract. This applies to both primes and subcontractors. 

If CMMC certification applies to you, here are 8 things you need to know:

1. Not surprisingly, the new “go/no-go” cybersecurity assurance process is more complex, requiring Department of Defense (DoD) assessments and certification by an independent Certified Third-Party Assessment Organization (C3PAO). This change replaces the DFARS/NIST self-assessment. 
2. The CMMC specifications continue to evolve. Most recently, the 110 security requirements of NIST SP 800-171 are likely to be expanded to 138 security requirements. These changes, along with others, are published in the NIST SP 800-171, Revision 3 draft. Among them, increased specificity for security requirements and updates to security control families that add Planning, System and Service Acquisition, and Supply Chain Risk Management as 3 new domains.
3. With its inherent complexities, it’s important for you to understand the CMMC assessment process (CAP) – or know someone that does – so you can align your efforts with what the C3PAO will be looking for. 
4. Certification is a prerequisite to doing business, and both your revenue and competitive advantage rely on early preparation. All told it can take organizations up to 12 months or more to achieve CMMC 2.0 assessment readiness. Which is why we encourage you to get started now. 
5. An immediate focus on becoming compliant with NIST SP 800-171 will prepare you for a significant portion of the upcoming CMMC obligations. There’s plenty to do while the Final Rule is pending – NIST SP 800-171 includes 110 requirements, 320 control assessment objectives, plus additional supporting materials including system security plans (SSPs) and corrective plans of action and milestones (POA&Ms). 
6. CMMC certification requires perfection. To pass the certification assessment, organizations must meet all of the requirements and all of their assessment objectives.      
7. Organizations must also complete a Supplier Performance Risk System (SPRS) submission, which is required before a contract can be awarded.  
8. A gap assessment will help you evaluate whether your organization is meeting NIST SP 800-171 requirements (and, if not, focus on remediating them), helping you move more efficiently from your “current state” to CMMC readiness. 

Summit has deep expertise and knowledge in CMMC, DFARS, and NIST 800-171 requirements. We have performed assessments and shortened time- and cost-to-compliance for DoD suppliers nationwide. We can do the same for you. Need some help? Contact Us.