VIDEO: CMMC 2.0’s Final Rule
If you are a contractor doing business with the DoD, your contracts will soon become dependent on a Cybersecurity Maturity Model Certification (CMMC). The final rule for CMMC 2.0 was published on October 15, 2024. It became effective on Dec 16, 2024, and enter contracts in mid-2025.
CMMC 2.0 verifies defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI), and are protecting that information from the risk of cybersecurity threats in accordance with NIST 800-171.
CMMC 2.0 has three levels of compliance (the original CMMC had five levels) depending on what kind of government information you handle and store, as well as the threats you face:
• Level 1. This impacts all contracts and specifically safeguards FCI. Contractors self-assess annually.
• Level 2. This impacts most contracts and specifically focuses on safeguarding CUI. It requires third-party or self-assessments every three years.
• Level 3. This impacts some contracts, protects CUI and reduces the risk of advanced persistent threats (APTs). It requires government assessment every three years.
For more on CMMC, check out these recent SteelCloud blogs: