solider in server room reviewing information on terminal

The Cybersecurity Maturity Model Certification (CMMC) framework was introduced by the United States Department of Defense (DoD) in 2020 to enhance the cybersecurity posture of defense contractors. Since its introduction, the framework has undergone several changes, with the latest version being CMMC 2.0. This new version brings significant changes to the certification process, and it is essential to understand the CMMC 2.0 rulemaking process and what to expect from this new version.

What is CMMC 2.0?

CMMC 2.0 is the latest version of the CMMC framework. This version incorporates updates and changes to the previous version, CMMC 1.0, which was released in January 2020. The primary goal of CMMC 2.0 is to simplify the certification process while aligning it with the NIST SP 800-171 Rev. 2 standards.

What are the changes in CMMC 2.0?

CMMC 2.0 introduces several changes to the framework, including:

  1. New Scoring System: CMMC 2.0 introduces a new scoring system, which simplifies the certification process. The previous version, CMMC 1.0, had five levels of certification, each with specific requirements that companies had to meet. In CMMC 2.0, the five levels have been consolidated into three levels: Level 1, Level 2, and Level 3. Each level has specific requirements that companies must meet to achieve certification.
  2. Updated Controls and Practices: CMMC 2.0 aligns with the NIST SP 800-171 Rev. 2 standards. This means that companies will need to implement the latest security controls and practices to meet the certification requirements.
  3. Shift from Self-Attestation to Third-Party Assessments: In CMMC 2.0, companies will no longer be allowed to self-attest their compliance with the certification requirements. Instead, a third-party assessor will be required to validate a company's security posture before certification is granted.

What is CMMC 2.0 Rulemaking?

CMMC 2.0 rulemaking is the process of developing and implementing the regulatory framework that governs the certification process. The rulemaking process is designed to ensure that the framework is consistent with legal and regulatory requirements while allowing for public input and feedback.

The CMMC Accreditation Body (CMMC-AB) is responsible for the CMMC 2.0 rulemaking process. The CMMC-AB is a non-profit organization established to oversee the certification process and ensure that it is consistent with the DoD's requirements.

What to Expect from CMMC 2.0 Rulemaking?

The CMMC 2.0 rulemaking process is ongoing, and several key developments are expected in the coming months. These include:

  1. Release of the Interim Rule: The DoD is expected to release an interim rule in the first quarter of 2022. This rule will provide details on the implementation of CMMC 2.0 and outline the requirements that defense contractors will need to meet.
  2. Public Comment Period: Once the interim rule is released, a public comment period will follow. This period is designed to allow stakeholders to provide feedback on the proposed changes to the certification process.
  3. Final Rule: After the public comment period, the DoD will release a final rule that outlines the certification requirements and the process for obtaining certification.
  4. Implementation: The implementation of CMMC 2.0 is expected to begin in late 2022 or early 2023. During this period, companies will need to begin aligning their security practices with the updated controls and practices.

In conclusion, the CMMC 2.0 rulemaking process is an essential step towards enhancing the cybersecurity posture of defense contractors. As the process unfolds, it is important for companies to stay informed and prepared to meet the updated certification requirements.

At Cleared Systems Consulting, we are committed to helping companies navigate the evolving landscape of cybersecurity regulations and certifications. Our team of experts can provide guidance and support to ensure that your company is prepared to meet the requirements of CMMC 2.0 and other cybersecurity frameworks. Contact us today to learn how we can help your company achieve and maintain compliance with the latest cybersecurity regulations.

Ways We Can Help You

Contact us to receive assistance in navigating cybersecurity risks and information compliance for your company. Here are some additional ways we can help:

  • Schedule a free discovery session with us during which we can learn about your company, answer your questions, and assist you in determining if Cleared Systems is the right fit for you.

  • Register for our upcoming cybersecurity and information compliance training.

  • Purchase our books on CMMC 2.0, CUI, Data Breaches, and ITAR.

  • Join our weekly free webinar sessions to ask questions and learn about the latest developments in cybersecurity and information compliance.

Author Profile

Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.

Leave a Reply

Your email address will not be published. Required fields are marked *


Have questions about compliance or cybersecurity?

Schedule a free call with our experts now and get your questions answered!