The dust is still settling on the new CMMC release, officially called CMMC 2.0, and like any new CMMC related announcements we all have questions. Below are answers to some of the easiest, and fortunately the most important questions from a practical perceptive.
Before jumping into the questions, here is a comparison chart between CMMC 1.0 and 2.0.
CMMC 1.0 |
CMMC 2.0 |
||
Cyber Hygiene Levels |
Certification Method Required |
Cyber Hygiene Levels |
Certification Method Required |
Level 5 – Advanced |
CMMC Third Party Assessor Organization (C3PAO) Certification |
Level 3 – Expert |
DoD Certification |
Level 4 – Proactive |
|||
Level 3 – Good |
Level 2 – Advanced |
C3PAO Certification |
|
Level 2 – Intermediate |
Self-Assessment |
||
Level 1 – Basic |
Level 1 – Foundational |
Being proactive seemed like the right thing to do, did I waste time and money due to the regulations changing?
No, as long as you haven’t actually been certified as compliant. If you were confident of your CMMC 1.0 level then you know your CMMC 2.0 level. The requirements haven’t changed, just the level number. However, there are discussions on whether additional requirements will be added to levels, but it does not appear they will be reduced.
All the preparation prior to being certified is the same for CMMC 1.0 and CMMC 2.0. Any gap or readiness assessments, information gathering, and remediation are the same for both CMMC versions. The real difference is one may qualify for performing a self-assessment and not need a C3PAO to certify.
How do I know if a self-assessment will meet our organization’s CMMC requirements?
Like CMMC 1.0, the RFPs and contracts will dictate the requirements. Level 1 organizations can perform self-assessments. Level 2 organizations that are not touching information critical to national security will be able to perform self-assessments. For those Level 2 organizations touching information critical to national security, a C3PAO certification will be required.
Has CMMC 2.0 changed the timeline for compliance?
The timeline with CMMC 1.0 was never definitive. The CMMC 2.0 announcement in November 2021 provided a 9 to 24-month timeline to complete the rulemaking process. RFPs and contracts will have CMMC level requirements on them once the rulemaking process is finalized. There is an indication the DoD wants to create incentives for contractors to be ready sooner rather than later.
What does this mean going forward?
The good news is many organizations expecting to pay for a C3PAO certification will not be required to do so. Even If there is no time or resources to perform a self-assessment, utilizing a third party to assist with a self-assessment will be less expensive than going through the C3PAO certification process. There is less liability and risk involved with a self-assessment, which allows third parties to assist with the readiness assessment, remediation, and ongoing assessment support. It is now even easier to get help if your organization falls into the self-assessment requirement.
Explore other IT Audit and Compliance Services we offer.
Contact your Dean Dorton advisor or other professional advisor for more information.
If you don’t have an advisor, but would like to speak with us, send an email to:
insights@deandorton.com