CMMC 2.0 COMPLIANCE

CMMC 2.0 COMPLIANCE

Deadline was June 9th, 2023

WHEN IS CMMC COMPLIANCE REQUIRED?

CMMC 2.0 was announced in November 2021 and needs to undergo rulemaking before it is implemented. CMMC 2.0 will become a contract requirement once rulemaking is completed; this process can take 9-24 months. However, if you are a DoD contractor or subcontractor, then the time to start working towards CMMC 2.0 compliance is now.

During the rollout of CMMC 2.0, prime DoD contractors will also need to perform a self-assessment of their implementation of NIST SP 800-171 via the NIST SP 800-171 DoD Assessment Methodology (which prime contractors can also ask of their subcontractors). This assessment results in a score that needs to be submitted to the Supplier Performance Risk System (SPRS). It should also be noted that assessments considered “medium” or “high” must be conducted by the DoD, rather than via self-assessment.