Ensuring security throughout the Defense Industrial Base
Who needs and and why?
What is CMMC 2.0 and how does it differ from 1.0
The DoD introduced its CMMC initiative in mid-2019 and released CMMC 1.0 in early 2020. The initial program called for external audits of each and every one of the hundreds of thousands of companies doing work for the DoD —all within five years
Congressional hearings followed, and in November 2021 DoD released its much-streamlined CMMC 2.0 model. The new program focuses on reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements. The DoD reshaped CMMC to follow a security-first approach that would be accessible even to smaller companies.
Since the release of 1.0, CMMC has undergone significant revisions. Today CMMC 1.0 has been updated to CMMC 2.0. While the DoD could expedite the model’s role out, CMMC 2.0 is expected to go into effect in May 2023 and be in contracts by July 2023. That means you have a short time to get your house in order, so that you can remain competitive in the DIB. This blog to help you get started. Below is an overview of CMMC 2.0, its practices and levels, and what you need to know to get started with your compliance journey.
CMMC 2.0 differs from 1.0 in the following key ways:
- It trims the number of CMMC levels from five to three. The new CMMC 2.0 levels are: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
- CMMC 2.0 dropped 20 security requirements for the new CMMC Level 2. It now dovetails completely with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share CUI.
- Whereas POAMs were not allowed in 1.0, CMMC 2.0 will allow for limited use of Plans of Actions and Milestones (POAMs). POAMs can only be used for 1 point controls, not the more complex 3 or 5 point controls.
- Waivers for certification will be permitted in very limited circumstances.
How we achieve and maintain CMMC 2.0 compliance
From small shops to large enterprises we can help properly scope and execute your CMMC 2.0 compliance program.
CMMC Cost and Schedule
CMMC 2.0 compliance
The specific maturity level that a contract requires is one of the biggest cost factors, but a contractor’s existing security posture will also affect the total cost of obtaining CMMC success
avg. $3,000 – $6,000
1 – 3 months
avg. $25,000 – $35,000
2 – 4 months
avg. $55,000 – $75,000
3 – 6 months