Source: Office of the Under Secretary of Defense. “About CMMC.” www.acq.osd.mil/cmmc/about-us.html
Maturity Levels 1 to 3
CPO Magazine provides an excellent summary regarding updates to each maturity level. As stated above, Level 1 pertains to those contractors that don’t interact with CUI or HVA. Level 2 contractors deal with CUI but not HVA, and require a third-party assessment only if they deal with CUI considered to be Critical National Security Information. Level 3 is for contractors that use HVA, and their assessments must be performed by the government rather than a C3PAO.
Benefits of CMMC 2.0
We touched on how the goal of CMMC 2.0 was to allow small businesses the opportunity to obtain certification by implementing changes that were both effective and financially reasonable. This is done primarily through reduced assessments costs.
That said, this revised model is also regarded as a more streamlined approach that aligns with the National Institute of Standards and Technology (NIST), and allows for increased oversight and enforcement of ethical standards.
Due Date for Implementation
The DoD still needs to finalize its rulemaking for CMMC 2.0, which means we don’t yet know a firm date on when these changes will need to be implemented. They originally anticipated a completion date within a period of nine to 24 months, which means your team still has plenty of time to identify the areas you need to improve and develop a plan for how to reach them.
How HCRS Can Help
HCRS has the ability to guide your team toward CMMC certification by clearly outlining the processes you need for each maturity level. As a Registered Provider Organization (RPO), we don’t perform audits, and we aren’t able to grant this certification for you. But we can share our wealth of government experience and cybersecurity knowledge so that you have the best resources available.
It’s important to note that you can still bid for government contracts while you’re in the process of meeting CMMC certification if you can establish a Plan of Action and Milestones (POA&Ms). This will outline your organization’s known weaknesses and present a strategy on how you intend to correct them.
Even if you aren’t a government contractor, these requirements are relevant. They’re also likely to be adopted across multiple industries in the coming months. It only makes sense to use this framework to develop and enhance your own cyber defense, especially considering the at-risk state of the healthcare sector when it comes to ransomware and other digital threats.
When you’re ready, we’re here to help. Contact us today to schedule time for a needs analysis.