If your company works with the Department of Defense (DoD) or is part of its supply chain, you may need to meet CMMC 2.0 requirements to continue working with them in the near future. CMMC 2.0 is about making sure your company has the right cybersecurity measures in place to protect sensitive Department of Defense (DoD) information. If your company handles federal contract information (FCI) or controlled unclassified information (CUI), you must be compliant. This includes both prime contractors and their subcontractors at any tier, including suppliers, vendors, and consultants. This also includes your IT MSP.

A phased implementation of CMMC 2.0 is expected to begin in Q1 2025, with full implementation in all DoD contractor and subcontractor contracts by 2028. A CMMC certification level is determined by the specific kind of information a company handles and the type of work it does. The specific level of certification required will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, it cannot bid. It’s important to understand which level applies to your business and take steps to meet the requirements. There are three levels of certification:

• Level 1: Basic – This is the simplest level, requiring just a few essential practices like using strong passwords and regularly updating software. It’s aimed at companies that have a FAR 52.204-21 (a subset of DFARS requirements) in their contract and handle only FCI.
• Level 2: Advanced – This level is more comprehensive, covering a broader range of security practices. It’s for companies handling more sensitive information and includes practices such as regular security monitoring. CMMC Level 2 is aligned with NIST SP 800-171. It requires third-party assessments for contractors that send, share, receive, and store critical national security information. This level encompasses the security requirements for CUI specified in NIST SP 800-171.
• Level 3: Expert – This is the highest level and involves the most stringent security measures. It’s for companies handling the most sensitive data and requires constant monitoring and advanced defenses. CMMC Level 3 is aligned with NIST SP 800-172 and will require triennial government-led assessments.

As one of Pennsylvania’s seven non-profit Industrial Resource Centers, MANTEC is South Central PA’s regional point of contact for CMMC guidance and training.

To schedule a conversation with Don Bolton, our Manufacturing Technology Advisor, about CMMC or other IT concerns, complete the form to the right.

Email: don@mantec.org
Phone: (810) 358-4702
LinkedIn: https://www.linkedin.com/in/dmb-ii/

Related Articles:

• CMMC Explained
• Why CMMC Compliance is Essential for Manufacturers