TLDR:
Payam Pourkhomami discusses the biggest changes in the proposed CMMC 2.0 rule, including new requirements for service providers and cloud service providers. The inclusion of security protection data will also increase costs and administrative burdens for contractors. The timeline for implementation is structured into four phases, starting in Q1 CY 2025.
In Part Two of his series, Payam Pourkhomami unpacks the key elements of the proposed CMMC 2.0 rule, focusing on the changes that government contractors need to be aware of. One of the major updates in the new rule is the requirement for managed services providers (MSPs) and managed security services providers (MSSPs) to be third-party certified to the same CMMC level as the contractor they are serving. This ensures a uniformly secure environment across all tiers of service provision.
Another crucial aspect of the new rule is the mandates for cloud service providers (CSPs), who are now required to possess FedRAMP Moderate authorization or show equivalent security compliance. Security protection data (SPD) is also introduced in the CMMC 2.0 rule, broadening the scope of contractors’ systems and tools that contribute to their security and compliance programs.
The implementation timeline for CMMC 2.0 is structured with four phases, starting in Q1 CY 2025 with mandatory self-assessments for contractors seeking new contracts. Subsequent phases introduce certification assessments for new contracts and mandate third-party certification for Level 2 contractors by Q3 CY 2026. The final phase in Q3 CY 2027 integrates the program’s requirements into all DOD solicitations and contracts, aiming to standardize and strengthen cybersecurity practices across the defense industrial base.