This is the main content of the page.
DoD released version 2.0 of the CMMC standards on November 17, 2021. Eventually, when CMMC rulemaking is complete, nearly every company engaged in a DoD contract or subcontract that requires the storage, transmission, or processing of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will need to be CMMC certified at one of the three (3) levels of the maturity model.
While the certification process for Organizations Seeking Assessment (OSCs) has not yet commenced, organizations can and should be implementing the CMMC standard directly aligned with NIST SP 800-171 (and NIST SP 800-172 for Level 3 Certifications). Prime contractors should also be developing programs to prepare their subcontractors to whom CMMC level requirements will flow down. The level of required CMMC certification will be specified in each specific contract awarded.
The 110 security requirements included in NIST 800-171 SP 800-171 are part of the CMMC Levels 1-3 certification requirements. Per an interim rule effective November 30, 2020, contractors must have a current (not older than three years) National Institute of Standards and Technology SP 800-171 U.S. Department of Defense Assessment on record. This interim rule allows organizations to close the gap between DFARS and CMMC requirements.
CMMC Level 2 requires a CMMC Third-Party Assessment Organization (C3PAO) to independently assess an OSC to certify conformance to the NIST standard. Once attained, certification for an OSC will last three years.