Focused on the most critical requirements:

Streamlines the model from 5 to 3 compliance levels

Aligned with widely accepted standards:

Uses National Institute of Standards and Technology (NIST) cybersecurity standards


Reduced assessment costs:

Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments

Higher accountability:

Increases oversight of professional and ethical standards of third-party assessors


Spirit of collaboration:

Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification

Added flexibility and speed:

Allows waivers to CMMC requirements under certain limited circumstances

Rulemaking and Timeline for CMMC 2.0-

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway by giving consideration to the following 5 mechanisms:

CMMC Implementation (Five Steps to Make Your Company More Cyber Secure)-

Educate people on cyber threats-

Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches

Implement access controls-

Limit information systems access to authorized users and the specific actions that they need to perform.

Authenticate users-

Use multi-factor authentication tools to verify the identities of users, processes, and devices.

Monitor your physical space-

Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.

Update security protections-

Make sure to download the latest security patches when new releases are available. Always double check to make sure they are coming from a trusted source