Final Rule for CMMC 2.0

It is HERE!

The final rule for CMMC 2.0 was released on October 11, 2024, with significant changes aimed at simplifying and improving the cybersecurity requirements for defense contractors. Some of the key changes include:

1. 1. Reduction of Levels: CMMC 2.0 reduces the number of certification levels from five to three. This is intended to streamline compliance for contractors, especially small and medium-sized businesses.  This is something that has widely been understood since the initial announcement of CMMC 2.0 in November of 2021.
   2. Assessment Types:
      • Level 1 (Basic safeguarding of Federal Contract Information – FCI): Contractors can perform self-assessments.
      • Level 2 (Advanced protection of Controlled Unclassified Information – CUI): For some contractors, self-assessments will suffice, but those handling more sensitive CUI must undergo third-party assessments.  From what we have seen from our customers to this point, most of you will be hovering at this level. 
      • Level 3 (Protection against advanced persistent threats): Contractors will require third-party assessments and must adhere to the full set of requirements in NIST SP 800-172.
   3. New Accountability Measures: Contractors must submit annual affirmations of compliance, which are subject to review, ensuring companies uphold their cybersecurity obligations.  Many of you are doing this and it will continue to be “business as usual” for your annual reviews and affirmations.

• Implementation Timeline: CMMC 2.0 will be phased in, with mandatory compliance expected to be fully enforced by 2025. This gradual rollout will give contractors time to meet the new requirements.  The Department of Defense (DoD) plans to begin incorporating CMMC requirements into contract solicitations and awards starting in 2025

1. Plans of Action and Milestones (POAMs): Contractors can be granted conditional certification for up to 180 days if they need time to meet certain NIST standards, provided they follow an approved POAM.

The big question is…Who will be required to obtain the third-party assessment?

In CMMC 2.0, determining which contractors at Level 2 will require a third-party assessment depends on the type of Controlled Unclassified Information (CUI) they handle. The criteria are based on the sensitivity and criticality of the CUI:

1. Critical and Sensitive CUI: Contractors handling CUI deemed critical for national security or higher-risk data will require a third-party assessment. This could involve information that, if compromised, could significantly impact U.S. military operations, defense capabilities, or supply chains. The Department of Defense (DoD) will define which types of CUI fall into this category.
2. Lower-Sensitivity CUI: Some contractors handling less sensitive or non-critical CUI may be allowed to perform self-assessments. The distinction between these two groups is expected to be clarified in contract solicitations, where the DoD will specify whether a third-party assessment is needed based on the nature of the CUI involved.
3. Solicitation and Contract Requirements: Defense contract solicitations will explicitly state the required level of certification and whether a contractor must undergo a third-party assessment or can proceed with a self-assessment based on the specific data and cybersecurity risks associated with the contract.

What does this mean for you and your business?  It is imperative that you read your contracts!  We will have more to come regarding contracts, how to read and the questions to ask.  In the meantime, if you have any questions, please let us know!

Sincerely

Melissa & The Gang