CMMC Compliance

Every contractor in the defense industrial base must conduct a self-assessment once per year. However, the same is not true for third-party assessments. CMMC 2.0 understands that different types of sensitive information require different degrees of protection. As such, third-party assessment requirements will consequently be based on the type of information DIB companies are working with.

Companies seeking Level 1 requirements will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21

If you’re seeking CMMC level 2, you can expect to need a third-party assessment every three years. The DoD has rolled back its earlier statements that it will bifurcate level 2 requirements. This means that you should plan on being assessed by accredited C3PAOs (CMMC Third Party Assessment Organizations) or certified CMMC Assessors.

Companies seeking Level 3 (Expert) compliance will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance.

At present, no assessments by C3PAOs of defense contractors are currently taking place. The DoD is expected to rollout the final assessment process for C3PAOs in the summer of 2022. At that time, contracts will be able to undergo voluntary assessments with certified C3PAOs.