CMMC News: CMMC Has Been Published as a Proposed Rule

CMMC News: CMMC Has Been Published as a Proposed Rule

On the Friday before Christmas, CMMC was finally published as a proposed rule. This means one thing for certain. The time to start preparing for your CMMC assessment is here, regardless of whether you are already in compliance with NIST 800-171 r2 or whether you are starting from scratch.

What is CMMC 2.0?

According to the document available at, CMMC rests on three pillars. Those pillars are: 

• Tiered Model: CMMC requires companies entrusted with national security information
to implement cybersecurity standards at progressively advanced levels, depending on the
type and sensitivity of the information. The program also describes the process for
requiring protection of information flowed down to subcontractors.

• Assessment Requirement: CMMC assessments allow the Department to verify the
implementation of clear cybersecurity standards.

• Implementation through Contracts: Once CMMC is fully implemented, certain DoD
contractors handling sensitive unclassified DoD information will be required to achieve a
particular CMMC level as a condition of contract award.

The CMMC Tiered Model

Tiers are determined in contracts with primes and/or the government. There are three possible levels, with level one representing the lowest amount of security and level three being the top level of security. 
Level one contractors can self-assess, but this has to be done annually and must be recorded in SPRS. Contractors must “verify through self-assessment that all applicable security requirements outlined in FAR clause 52.204-21 have been implemented” as per the document cited above.

Level two contractors must comply with NIST 800-171 r2 as well as DFARS clause 252.204-7012. You do not have to meet all controls on the first try, but any unmet controls require a POAM (Plan of Action & Milestones) and the controls must be satisfied with 180 days. At level two, contractors are required to have a third-party assessment once every three years. They can do self-assessments for the two years in between the third-party assessments. 

Finally, level three contractors are at the highest level of security. Because of this, requirements are more detailed than for the first two CMMC levels. The rule notes, “At Level 3, CMMC adds a requirement for contractors and applicable subcontractors to verify through DoD assessment and receive certification that all applicable CMMC Level 3 security requirements from NIST SP 800-172 have been implemented. A senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.”

Next Steps

A contractor’s next steps where CMMC is concerned are first to achieve compliance with NIST SP 800-171 r2. While it is true revision three is due to be published sometime in the spring, according to NIST, but the first step is to make sure the 110 controls are met from revision two. 

Contractors may also want to consider pursuing ISO 27001 while working toward NIST/CMMC compliance. While ISO 27001 does not have anything to do with CUI or FCI, it is an international information management security system standard, and there is a great deal of overlap between the ISO standard and NIST 800-171 r2. The possibility of achieving compliance with both standards is not an overwhelming objective. 

If you are not sure where to start, request a quote or contact us today. We are happy to discuss your company’s specific situation with you and answer questions about the rulemaking process, whether ISO 27001 would be of benefit to your company, and more. 

Latest Resources

See all resources