CMMC 2.0 Rulemaking and What to Expect

The Cybersecurity Maturity Model Certification (CMMC) framework was introduced by the United States Department of Defense (DoD) in 2020 to enhance the cybersecurity posture of defense contractors. Since its introduction, the framework has undergone several changes, with the latest version being CMMC 2.0. This new version brings significant changes to the certification process, and it is essential to understand the CMMC 2.0 rulemaking process and what to expect from this new version.

What is CMMC 2.0?

CMMC 2.0 is the latest version of the CMMC framework. This version incorporates updates and changes to the previous version, CMMC 1.0, which was released in January 2020. The primary goal of CMMC 2.0 is to simplify the certification process while aligning it with the NIST SP 800-171 Rev. 2 standards.

What are the changes in CMMC 2.0?

CMMC 2.0 introduces several changes to the framework, including:

  1. New Scoring System: CMMC 2.0 introduces a new scoring system, which simplifies the certification process. The previous version, CMMC 1.0, had five levels of certification, each with specific requirements that companies had to meet. In CMMC 2.0, the five levels have been consolidated into three levels: Level 1, Level 2, and Level 3. Each level has specific requirements that companies must meet to achieve certification.
  2. Updated Controls and Practices: CMMC 2.0 aligns with the NIST SP 800-171 Rev. 2 standards. This means that companies will need to implement the latest security controls and practices to meet the certification requirements.
  3. Shift from Self-Attestation to Third-Party Assessments: In CMMC 2.0, companies will no longer be allowed to self-attest their compliance with the certification requirements. Instead, a third-party assessor will be required to validate a company’s security posture before certification is granted.

What is CMMC 2.0 Rulemaking?

CMMC 2.0 rulemaking is the process of developing and implementing the regulatory framework that governs the certification process. The rulemaking process is designed to ensure that the framework is consistent with legal and regulatory requirements while allowing for public input and feedback. The CMMC Accreditation Body (CMMC-AB) is responsible for the CMMC 2.0 rulemaking process. The CMMC-AB is a non-profit organization established to oversee the certification process and ensure that it is consistent with the DoD’s requirements.

What to Expect from CMMC 2.0 Rulemaking?

The CMMC 2.0 rulemaking process is ongoing, and several key developments are expected in the coming months. These include:

  1. Release of the Interim Rule: The DoD is expected to release an interim rule in the first quarter of 2022. This rule will provide details on the implementation of CMMC 2.0 and outline the requirements that defense contractors will need to meet.
  2. Public Comment Period: Once the interim rule is released, a public comment period will follow. This period is designed to allow stakeholders to provide feedback on the proposed changes to the certification process.
  3. Final Rule: After the public comment period, the DoD will release a final rule that outlines the certification requirements and the process for obtaining certification.
  4. Implementation: The implementation of CMMC 2.0 is expected to begin in late 2022 or early 2023. During this period, companies will need to begin aligning their security practices with the updated controls and practices.

The CMMC 2.0 rulemaking process is an essential step towards enhancing the cybersecurity posture of defense contractors. As the process unfolds, it is important for companies to stay informed and prepared to meet the updated certification requirements.

At Cleared Systems Consulting, we are committed to helping companies navigate the evolving landscape of cybersecurity regulations and certifications. Our team of experts can provide guidance and support to ensure that your company is prepared to meet the requirements of CMMC 2.0 and other cybersecurity frameworks. Contact us today to learn how we can help your company achieve and maintain compliance with the latest cybersecurity regulations.

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?