CMMC compliance is undergoing significant evolution, aimed at simplifying and streamlining the process for all stakeholders. The program, initially designed to enhance cybersecurity in Defense Industrial Base (DIB) entities, is now undergoing revisions for more accessible and comprehensive compliance, consolidating levels and introducing new pathways for smoother adherence to standards.

The Background: NIST 800-171 vs CMMC

CMMC helps the government check if companies follow NIST SP 800-171 rules. Contractors needed to follow these rules since January 1, 2018. But the Defense Department saw many companies in the Defense Industrial Base not following these rules well. So, they made CMMC in January 2020 to fix this. Starting September 2020, to bid on projects, contractors needed CMMC certification at the right level.

Even subcontractors must follow CMMC. NIST 800-171 needs to follow both Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) rules. But CMMC looks only at CUI rules. So, having CMMC Level 1 to 5 doesn’t mean you follow all NIST 800-171 rules. Missing this might break the False Claims Act.

It’s why a good compliance expert is crucial to cover all the details.

CMMC 2.0 Update: Reducing Bureaucracy, Elevating Standards

The Pentagon is overhauling CMMC, planning fewer third-party checks and introducing waivers. The anticipated CMMC 2.0, announced in November 2021, is anticipated to be finalized by October 2025. It condenses the five certification levels into three: foundational, advanced, and expert, easing bureaucracy for small and medium-sized businesses (SMBs). However, adhering to cyber standards and safeguarding sensitive information become essential prerequisites to pre-contract award requirements, verified by independent, on-site third-party audits.

Non-compliance spells no contract, no revenue—a critical shift signaling a more stringent approach in contractual criteria for DoD involvement.

DFARS Interim Rule

The DFARS Interim Rule, effective since December 2020, mandates contractors vying for new DoD contracts to conduct self-assessments, reporting outcomes to SPRS via the DFARS compliance checklist. Elevating your company’s self-assessment score becomes pivotal for contract acquisition.

So how does this relate to CMMC? Remember that the first “M” in CMMC stands for “Maturity.” Companies must demonstrate that they’ve institutionalized the practices of CMMC compliance for months if they are serious about achieving certification.

LDD Consulting can help you quickly improve your level of cybersecurity – and substantially boost your self-assessment score – by safeguarding Controlled Unclassified Information (CUI), crucial for compliance.

Book a 10-Minute Phone Consultation

©2023. LDD Consulting, Inc. All Rights Reserved.