RULEMAKING AND TIMELINE FOR CMMC 2.0

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect, and it could take between 9 to 24 Months.

Key CMMC resources

  • Defense Federal Acquisition Regulation (DFARS) Case 2019-D041: Assessing Contractor Implementation of Cybersecurity Requirements
    • DoD issued an interim rule to amend DFARS to implement a DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
  • DoD CUI Program website
    • Explains the source and importance of CUI and posts related policies, training, marking aids, as well as the CUI registry and new developments.
  • Supplier Performance Risk System (SPRS)
    • SPRS “…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)