Posted on:

CMMC 2.0: You Cannot Afford to Wait – Here’s Why!

CMMC Model 2.0 was announced in November 2021 and will be implemented through the rule-making process.

The Two Rules Are:

  • Part 32 of the Code of Federal Regulations (CFR) (Federal Acquisition Rules) (FAR)
  • Part 48 of the CFR (Defense Federal Acquisition Regulation Supplement) (DFAR)
    dial cmmc

DoD contractors will be required to comply once rule-making is final. Both rules will have a public comment period and are expected to last through May 2023. At this point, CMMC requirements will begin to be included in DoD solicitations. Although rule-making will not be final until then, the DoD encourages contractors to continue improving their cybersecurity posture during the interim period while the rule-making is underway. 


Some contractors have not completed their pre-requisites to CMMC, which are based on the rules (CFR Part 32 and Part 48). All DoD contractors that store, process, and/or transmit Controlled Unclassified Information (CUI) must meet the following:

  1. FAR 52.204-21: "Basic Safeguarding" Cybersecurity Requirements for Federal Contractors" – 15 Security Controls
  2. DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
  3. DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
  4. DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC [mostly large contractors)

At a minimum, small to medium businesses (SMB) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).


Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. The rule-making finalization may catch some DoD contractors off guard if the pre-requisites are not completed.

CMMC certification cannot be achieved without meeting

the pre-requisites!

The CMMC Ecosystem will be stretched and could be a mad rush to the finish line once final rule-making is completed. Starting the journey, if not already started, begins with the DFARS clauses. Doing nothing is not a plan; it's risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.


  1. Define your CUI boundaries:
    1. Know where CUI is
    2. Isolate CUI
    3. This should be done regardless of CMMC requirements, protecting CUI has been a requirement since 2015
  2. Develop your System Security Plan (SSP)
    1. Without an SSP, an SPRS score cannot be calculated.
    2. Lack of an SSP or an SSP that lacks sufficient detail will fail an assessment before the assessment has a chance to get off the ground.
    3. Most SSPs will be 50+ pages; many are 100+ pages.
  3. Ensure your NIST SP 800-171 self-assessment is completed
  4. Post your SPRS score if not done yet (per DFARS 7019)
    1. This is not an IT-only endeavor; non-IT stakeholders must be involved.
  5. Get familiar with CMMC 2.0 Source documents:
    1. CMMC Scoping Guidance
    2. CMMC Assessment Guides
    3. CMMC Assessment Process (on its way)
  6. Assign roles, responsibilities, and tasks 
    1. Recommend a Responsibility Traceability Matrix (RTM)
  7. Coordinate with your managed service providers (MSP) and cloud service providers (CSP)
    1. Ensure there is a Shared Responsibility Model (SRM) that establishes responsibility and accountability between your company and service providers
  8. Remediate all gaps found in the self-assessment
  9. Get an independent consultant to review (fresh eyes to review gaps or validate controls are implemented)


Plan a strategy for preparing for a CMMC assessment. A good way of doing this is to have a target date for CMMC readiness. Have no fear; this is within the DoD contractor's control. Failing a CMMC assessment for certification has a significant financial impact as it could cause the contractor to be ineligible for contract award.

Start the Journey Now!

Especially if you have missed some checkpoints along the way!

kick the can


Categories: cmmc