RULEMAKING AND TIMELINE FOR CMMC 2.0
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect, and it could take between 9 to 24 Months.
Key CMMC resources
- Defense Federal Acquisition Regulation (DFARS) Case 2019-D041: Assessing Contractor Implementation of Cybersecurity Requirements
- DoD issued an interim rule to amend DFARS to implement a DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
- DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- CMMC complements DFARS clause 252.204-7012, which was published in the Federal Register and became effective in 2015. Among other requirements, 252.204-7012 requires Contractors/Subcontractors to safeguard CUI by implementing cybersecurity requirements in NIST SP 800-171.
- DFARS Provision 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
- Advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current NIST SP 800-171 DoD Assessment on record to be considered for award. Requires offerors to post current Assessments in the Supplier Performance Risk System (SPRS).
- DFARS Clause 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
- Requires contractors to provide the Government with access to its facilities, systems, and personnel when necessary for DoD to conduct or renew a higher-level NIST SP 800-171 DoD Assessment.
- DFARS 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
- Effective 1 Oct 2025. Requires CMMC certificate by time of contract award. Until 1 Oct 2025, DoD must approve CMMC clause in new acquisitions. Contractor certification level must be maintained for contract duration and this clause must be flowed down, as required.
- NIST SP 800-171 Rev. 2: Protecting CUI in Nonfederal Systems
- National Institute of Standards and Technology Special Publication (NIST SP) 800-171 provides requirements for protecting the confidentiality of CUI.
- NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information (A Supplement to NIST Special Publication 800-171)
- National Institute of Standards and Technology Special Publication (NIST SP) 800-172, provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset.
- DoD CUI Program website
- Explains the source and importance of CUI and posts related policies, training, marking aids, as well as the CUI registry and new developments.
- Defense Counterintelligence and Security Agency (DCSA) CUI program overview
- Provides an overview of DCSA’s responsibilities in support of DoD CUI program management, including information about program’s phased rollout and various CUI resources.
- Supplier Performance Risk System (SPRS)
- SPRS “…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)
- The Use of the Supplier Performance Risk System (SPRS) in Implementing DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements
- Provides offerors guidance on the use of SPRS in Implementing DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements.
- CMMC Accreditation Body Website and Marketplace
- The authoritative source for CMMC-AB information, including marketplace listings of authorized/approved CMMC Third Party Assessment Organizations (C3PAOs).
- CMMC Accreditation Body Website and Marketplace
- DODI 5200.48 – Controlled Unclassified Information
- Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order 13556; 32 CFR Part 2002, “Controlled Unclassified Information; “ and DFARS secs. 252.204-7008 and 252.204-7012. Also, establishes the official DoD CUI Registry.
- DODI 5000.90 – Cybersecurity for Acquisition Decision Authorities and Program Managers
- Establishes policy, assigns responsibilities, and prescribes procedures for the management of cybersecurity risk by program decision authorities and program managers in the DoD acquisition processes.
- Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021)
- E.O. modernizing cybersecurity defenses by protecting federal networks, improving information-sharing on cyber issues, and strengthening our ability to respond to incidents.