The DOD also says that the new program includes reduced assessment costs because it allows more companies to demonstrate compliance through self-assessments, as well as more accountability via enhanced oversight of professional and ethical standards of third-party assessors Additionally, the DOD says the CMMC 2.0 program is more flexible, because it allows companies, under certain limited circumstances, to make “Plans of Action & Milestones” to achieve certification, and it grants waivers to CMMC requirements under certain limited circumstances.
CMMC 2.0 will now go through a rule-making process to be codified, which could take nine to 24 months, according to the DOD, and will become a contract requirement once rule-making is completed.
DOD says the changes were made in an effort to reduce compliance costs (particularly for small businesses), increase trust in the CMMC assessment ecosystem, and clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards.
RELATED: What is the CMMC, and why is it important to the DOD?
Matthew Travis, the CMMC Accreditation Body’s CEO, said in December that moving forward with assessments is dependent on DOD greenlighting the process, FCW reports. Assessments will also be affected by “preparing the IT systems assessment organizations will use to upload the assessment data and updated documentation to incorporate program changes,” according to FCW.
“I talked to a C3PAO authorized today, they’ve got customers ready to go,” Travis said. “So when that green light comes on, you’re going to see assessments starting.”
EXPLORE: What does achieving CMMC certification mean for contractors?