FAQ
General Questions for CMMC 2.0
Q: Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
A: As approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)), the interim DFARS rule provided a five-year phase-in period during which CMMC compliance is only needed for chosen pilot contracts. Prior to the completion of the CMMC 2.0 rulemaking process, the Department does not intend to authorize the inclusion of a CMMC requirement in any contract.
Following the codification of CMMC 2.0 through rulemaking, the Department will require contractors and sub-contractors to follow the new CMMC 2.0 model in accordance with regulatory obligations.
Q: When will CMMC 2.0 be required for DoD contracts?
A: The Department’s strategic goal with respect to the CMMC programme is reflected in the release of materials related to CMMC 2.0; nevertheless, CMMC 2.0 will not be a contractual requirement until the Department completes regulation to implement the programme. The regulatory process and timeframes can take anywhere from nine to twenty-four months. Once rulemaking is finished, CMMC 2.0 will become a contract requirement.
Q:How much will it cost to implement CMMC 2.0?
A: As part of the rulemaking process, the Department will publish a complete cost analysis for each level of CMMC 2.0 because the Department intends to streamline requirements at all levels, eliminating CMMC-specific practices and maturity processes, allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programmes to perform self-assessments rather than third-party assessments, and increase oversight of the third-party assessment ecosystem, costs are expected to be significantly lower than in CMMC 1.0.
Q: Why did the Department make these changes?
A: In response to the interim rule creating CMMC 1.0, the Department received over 850 public comments from industry, Congress, and other stakeholders. These comments emphasized the importance of improving CMMC by lowering costs, especially for small enterprises; enhancing trust in the CMMC assessment environment; and clarifying and aligning cybersecurity requirements with other federal mandates and widely accepted standards. CMMC 2.0 was created to achieve these objectives, as well as to improve the defense industrial base’s cybersecurity.
Q: What is the relationship between NIST SP 800-171 and CMMC?
A: The “Advanced” level (Level 2) under CMMC 2.0 will be equivalent to NIST SP 800-171r2, which is carried over to the CMMC-AB Level 1 and Level 2 Assessor Guides with a CMMC-specific numbering scheme. The “Expert” level (Level 3) will be based on 800-171 and a subset of NIST SP 800-172 standards.
Q: Who will perform third-party CMMC assessments?
A: Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO and C3PAOs shall use only Certified CMMC Assessors (CCAs) for the conduct of CMMC assessments
Q: How frequently will assessments be required?
A: Self-assessments for Level 1 and a subset of Level 2 programmes will be required on an annual basis after CMMC 2.0 is adopted. Assessments by third parties and the government will be needed every three years for some Level 2 and all Level 3 programmes.
Q: Will my organization need to be certified if it does not handle CUI?
A: Under CMMC 2.0, a DIB company that does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network but does process, store, or handle Federal Contract Information (FCI) must conduct a CMMC Level 1 self-assessment and submit the results into SPRS with an annual affirmation by a senior company official.
Q: What are the different three levels of CMMC 2.0?
- Level 1: Foundational – The DoD contractor must comply with 17 controls from NIST 800-171 and submit an annual self-assessment.
- Level 2: Advanced – The DoD contractor must comply with 100 practices aligned with NIST 800-171. Third-party assessments will be conducted every 3 years for critical national security information. Annual self-assessments will be required for some programs.
- Level 3: Expert – The DoD contractor must comply with 110+ practices based on NIST 800-172. Government-led assessments will be conducted every 3 years.
Q: Will the results of my assessment be public? Will the DOD see my results?
A: The results will not be released to the public. The DoD will have access to information and data relevant to a company’s evaluation, including the assessment results and final report, after CMMC 2.0 is completely implemented. All self-assessment findings will be stored on SPRS by the Department of Defense. The CMMC Enterprise Mission Assurance Support Services (eMASS) database will hold CMMC certificates and associated third-party assessment data. A copy of a company’s CMMC certificate will be instantly sent to the Supplier Performance Risk System by CMMC eMASS (SPRS). A CMMC assessment’s detailed results will not be made public.
Q: What are the major differences between CMMC 1.0 and 2.0?
A: The Department of Defense’s CMMC 2.0 programme streamlines the original CMMC framework with an emphasis on cost reduction and programme simplification. The following are significant changes:
- Lowering the number of CMMC levels from five to three
- Dropping maturity requirements
- Aligning requirements for the new Level 2 (Advanced) certification with NIST 800-171’s 110 controls (by eliminating the 20 controls that had been added to Level 3 of the original model)
- Permitting some defense contractors to self-attest to compliance with executive signoff
- Allowing time-limited POAMs for some low-risk security controls
- Ensuring Level 3 (Expert) will be based on a subset of NIST SP 800-172
Q: I’ve heard that the DoD will allow some organizations to get waivers for meeting CMMC. How will this work?
A: DoD wants to grant a limited number of waivers to contractors under CMMC 2.0, allowing them to avoid CMMC standards for certain mission-critical contracts. The waiver requests will require approval from top DoD leadership and will be limited in time.