CMMC 2.0 COMPLIANCE
WHEN IS CMMC COMPLIANCE REQUIRED?
CMMC 2.0 was announced in November 2021 and needs to undergo rulemaking before it is implemented. CMMC 2.0 will become a contract requirement once rulemaking is completed; this process can take 9-24 months. However, if you are a DoD contractor or subcontractor, then the time to start working towards CMMC 2.0 compliance is now.
During the rollout of CMMC 2.0, prime DoD contractors will also need to perform a self-assessment of their implementation of NIST SP 800-171 via the NIST SP 800-171 DoD Assessment Methodology (which prime contractors can also ask of their subcontractors). This assessment results in a score that needs to be submitted to the Supplier Performance Risk System (SPRS). It should also be noted that assessments considered “medium” or “high” must be conducted by the DoD, rather than via self-assessment.
- Safeguard sensitive information through proper cybersecurity hygiene with a "trust but verify" model
- Dynamically enhance cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Instill a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
