DoD Contractor’s Guide to CMMC Compliance

The road to CMMC compliance may seem long and difficult, but this guide makes it much less daunting by explaining each and all steps contractors need to take to prepare for it, achieve it, and maintain it.

Enter your email address to receive the guidebook.

Guidebook Topics Include:

  • Introduction
  • What Is CMMC?
    • CMMC Timeline
    • What Are the CMMC Certification Levels?
    • How to Determine Which Level Applies to You?
    • What Is the Difference Between FCI and CUI?
  • What Is the Difference Between NIST SP 800-171 and CMMC?
    • Third-Party Certification 
    • Mandatory Certification
  • What do contractors Need to Know About Cybersecurity FAR and DFARS?
  • CMMC Accreditation Body and Ecosystem
  • How to Prepare for a CMMC Assessment?
  • What Does a third party CMMC Assessment Involve?
  • External Service Provider Considerations
    • Cloud Service Provider Considerations
  • How to Ensure Ongoing Compliance?
    • Designate a Compliance Position
    • Maintain Policies and Procedures
    • Maintain Technical Capabilities

Download DoD Contractor’s Guide to CMMC Compliance

Payam Pourkhomami Headshot

Payam Pourkhomami
President & CEO
OSIbeyond

“The new CMMC framework is taking the defense industry by storm and there is a lot of confusion about what it involves and who it applies to. Our goal is to try to simplify all of the information on CMMC into a clear and consolidated guide for DoD contractors.”

CMMC Timeline

The most important CMMC dates include:

  • January – December 2028 – CMMC phase 4 rollout concludes, with CMMC requirements now included in all DoD solicitations and contracts.
  • January – December 2027 – CMMC phase 3 begins, requiring Level 2 C3PAO certification for the renewal or extension of existing contracts.
  • January – December 2026 – CMMC phase 2 rollout begins, requiring third-party (certification) assessment requirements introduced at Level 2.
  • January – December 2025 – CMMC phase 1 rollout begins, only requiring self-assessment and attestation for all new contracts. 48 CFR final rule expected early to mid-2025.
  • January – December 2024 – DoD review and analysis of public comments on CMMC 2.0 32 CFR and 48 CFR proposed final rule. 32 CFR final rule becomes effective on December 16, 2024.
  • December 2023 – 32 CFR CMMC 2.0 DFARS rule released for public comment, along with supporting documentation including CMMC 2.0 assessment and scoping guidelines.
  • January 2022 – December 2023 – Rulemaking underway while DIB contractors prepare for CMMC 2.0 requirements.
  • December 2021 – CMMC v2.0 model documentation and assessment guides released.
  • November 2021 – The DoD review of the CMMC program is concluded, CMMC v1.0 is effectively terminated and replaced by CMMC 2.0.
  • April 2021 – The first C3PAO’s begin to be assessed against CMMC Level 2 (previously CMMC 1.0 Level 3) by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). C3PAO’s must pass their own Level 2 assessment before being able to conduct assessments themselves.
  • January 2020 – The introduction of CMMC Version 1.0.

Excerpt From DoD Contractor’s Guide to CMMC Compliance

Eventually, all DoD contractors and subcontractors that handle FCI or CUI will be required to meet CMMC requirements, documented either by third party assessment or self-assessment & attestation. Only contractors that provide commercial-off-the-shelf products and don’t handle any CUI won’t be required to achieve one of the three levels of compliance. ”

 

DOWNLOAD THE GUIDEBOOK

OSIbeyond

OSIbeyond was built on the idea of combining outstanding technical skills with a world-class customer experience. Since 2004 we have remained faithful to our founding values and developed a company that consists of a team of professionals with the highest work ethic and commitment to excellence.

CMMC Compliance Services:

  • CMMC Assessment Preparation
  • Managed IT Services
  • Managed Security Services
  • Post Certification Compliance Management

NIST Compliant:

OSIbeyond is a NIST 800-171 compliant Managed Service Provider, our expert compliance team will guide your organization through the entire process and help you prepare for a formal assessment by a C3PAO. We provide comprehensive solutions for both attaining and sustaining CMMC 2.0 Level 2 compliance.

Resources: