When will CMMC 2.0 start showing up in contracts?

All companies can benefit from improved training, not just those awaiting news about CMMC — especially since the DoD is working on a new rule that will bring CMMC-like requirements to an even broader set of companies.

SPOKANE, Wash. (PRWEB) May 02, 2023

With the original May 2023 rollout date here, and no official word on when CMMC 2.0 will appear in contracts, speculations have been raging. Some anticipate as soon as June of this year to spring of 2024, but as of yet, no one knows. But does it even matter when it shows up?

According to Noël Vestal, the Compliance Officer at PreVeil, “The most important thing I keep telling everyone is that CMMC is just a certification, NIST 800-171 is the actual compliance framework. And NIST 800-171 is already a contractual obligation NOW. Meaning, people need to address their NIST 800-171 controls… like yesterday.”

Whereas CMMC 1.0 may have put the fear of the DoD into companies, the proposed 2.0 seems more reasonable — even if still a massive undertaking. CMMC 2.0 is now exactly in line with NIST 800–171. So what is the concern? It might be that some members of the DIB, who were entering their company’s NIST 800-171 self assessment scores into the Supplier Performance Risk System (SPRS) might not have been telling the truth and have a lot of work to do to keep out of hot water.

Unlike the earlier version of CMMC, version 2.0 only allows self assessment for Level 1. Levels 2 and 3 require assessment by a Certified Third Party Assessor Organization (C3PAO). But here’s an often overlooked detail that is worth knowing:

The C3PAO can and will interview multiple employees within your organization and ask about policies and security procedures. If you want to pass your certification assessment, make sure your employees are trained. Training is always a key element to staying secure — whether you’re seeking CMMC certification or not. But for certification, it is indispensable.

“Everybody that has DoD contracts needs to be getting ready,” says Heather Stratford, CEO of Drip7. “You don’t want to waste valuable time waiting for the official CMMC update to launch. Start training now.”

Ensuring that your employees are well-trained and able to answer questions accurately is crucial. With Drip7’s highly customizable content, creating and distributing training material is a breeze. The platform is also mobile-friendly and uses a microlearning format, allowing employees to learn at their own pace. Additionally, the gamified interface leverages the neurochemistry of how brains learn, making retention of information more effective.

All companies can benefit from improved training —not just those awaiting news about CMMC— especially since the DoD is working on a new rule that will bring CMMC like requirements to an even broader set of companies. Defaulting to the NIST framework and maintaining compliance with it, whether contractually obligated or not, is an excellent starting point for cybersecurity.

About Drip7

Drip7 is a leading innovator in the field of cybersecurity awareness training with an easy-to-use, mobile-based platform utilizing microlearning and gamification to increase employee engagement and create behavior change. Drip7 combines the right science and content to produce a superior training platform, from one question or “drip” a day to allowing employees to train when and where they want on their phone or computer, Drip7 engages users with an interactive dashboard, rewards, badges, and more. Included training is focused on cybersecurity and compliance; however, the platform can be customized by a company for any training need. For more information, please visit https://drip7.com

Share article on social media or email: