Blog > CMMC

December 26, 2023: DoD publishes CMMC proposed rule

On Monday December 26, 2023, the US Department of Defense (DoD) published the CMMC proposed rule. Note that an unofficial version had been circulating since December 22, 2023.

This proposed rule provides several clarifications concerning CMMC, its scope, its implementation, the certification process, and so on. It also testifies to DoD's desire to move ahead with CMMC as quickly as possible, with the protection of its CUI in mind.

If you are a DoD contractor or subcontractor, you have the opportunity to comment on the CMMC proposed rule. Your comments could lead to changes in the CMMC process. The comment period ends on February 26, 2024.

We will analyze the CMMC proposed rule in more detail and publish a blog post. 

In the meantime, here's what you need to know:

CMMC vs NIST 800-171

  • The core of CMMC will remain NIST-800-171 Rev 2. Forget Rev3 for now. 

CMMC vs SPRS

  • You will need to use SPRS to submit your CMMC evaluation results.

CMMC 2.0 - Level 1

  • annual self-assessment + submission to SPRS.

  • annual self-affirmation by a member of senior management + submission to SPRS.

  • no action plan (POA&M) accepted.

CMMC 2.0 - Level 2 with Self-assessment

  • action plan (POA&M) accepted but you will have 180 days to correct deviations

  • CMMC self-assessment valid for 3 years

  • CMMC assessment result must be entered into SPRS system

  • annual self-affirmation by a member of senior management + submission to the SPRS system

CMMC Level 2 with Certification

  • action plan (POA&M) accepted, but you will have 180 days to correct deviations

  • CMMC certification by a third party (C3PAO)

  • CMMC assessment information for entry into the Enterprise Mission Assurance Support Service (eMASS) system

  • CMMC certification valid for 3 years

  • annual self-affirmation by a member of senior management + submission to the SPRS system

CMMC Level 3

  • compliance with required NIST 800-171 and NIST 800-172 controls and sub-controls

  • action plan (POA&M) accepted, but you will have 180 days to correct deviations

  • audit by a U.S. Department of Defense (DoD) evaluator

  • CMMC assessment information for entry into the Enterprise Mission Assurance Support Service (eMASS) system

  • certification valid for 3 years

  • annual self-affirmation by a member of senior management + submission to the SPRS system