CMMC 2.0 Compliance – Key Questions and How it Impacts Facility Security in 2024

The woman at the desk on a laptop is making sure her company stays compliant with CMMC 2.0. Photo of woman on laptop with photos of padlocks and the MathCraft icon

MathCraft’s Guide on CMMC 2.0 

Addressing Your Key Questions and How It Will Impact Facility Security in 2024 

Released in January 2020, the Cybersecurity Maturity Model Certification (CMMC) leaped the GovCon space into new territory. It set rigorous standards by the Department of Defense (DoD) for contractors to protect sensitive information and by default, support national security initiatives. And while the intention was solid, it ultimately resulted in stress and confusion around the requirements. 

Four years later, all the buzz surrounds the successor — CMMC 2.0. Using feedback from industry stakeholders, CMMC 2.0 intends to simplify the certification process and better address today’s security demands. 

With so much information overload, MathCraft is here to help! While we are by no means certification experts, we can cover everything a facility security officer (FSO) should know about CMMC 2.0 and answer your most pressing questions:

The CMMC 2.0 Timeline and a Quick Overview

The Federal Register has full CMMC 2.0 details published and ready for review. In terms of the CMMC 2.0 timeline, here’s where we currently stand:

January 2020 → Original CMMC 1.0 is released by DoD

November 2021 → DoD announces updated version CMMC 2.0

March 2023 → Voluntary audits begin for GovCons to show progress toward CMMC 2.0 

January 2025 → DoD expects phased implementation of CMMC 2.0, with some security programs fully in effect (depending on the contract) 

Early 2028 → All defense contractors and subcontractors must have the CMMC 2.0 certification 

The update provides uniformity across DoD agencies and the contractors that serve them — commonly called the Defense Industrial Base (DIB). And to enhance our nation’s security from the top down, it builds upon previous guidelines such as: 

  • NIST SP 800-53 (general framework for security information systems) 
  • NIST SP 800-171 (measures for protecting non-federal systems) 
  • DFARS 252.204-7012 (controls to safeguard defense information and report cyber incidents) 
  • AIA NAS9933 (critical security controls specific to aerospace and defense) 

After the confusion and complexity of CMMC 1.0, the changes sought to simplify security guidance and provide some leniency. How?  

  1. By reducing the number of model levels: Instead of five maturity levels, there are only three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). 
  2. Adjusting assessment requirements by level: Level 1 allows self-assessment, Level 2 requires third-party assessment, and Level 3 mandates government-run assessments. 
  3. Applying POA&M: GovCons at Level 2 in implementing security controls and practices can use a Plan of Action & Milestones (POA&M) to prove maturity and progress.
  4. Offering waivers of requirements: While rare, some contractors can waive CMMC 2.0 under specific conditions. For example, if they’re still using “legacy” systems or the certification could impede critical operations. Alternatively, suppliers serving a small niche on the supply chain can waive CMMC 2.0 if compliance is too cumbersome for the business.

The Impact of CMMC 2.0 on Facility Security 

We’re going to see a transformative next four years for defense contractors — specifically in the realm of facility security management. Even since the announcement in 2021, we’ve already seen many changes take effect throughout the industry: 

  • More security controls, more policies, more headaches: As with any compliance demand, you’ll have a lot of “new” going on: New security tools, policies and documentation, training programs, consultants and vendors…the list goes on and on. And without the CMMC certification, good luck winning any future DoD work. 
  • Added operational costs: CMMC 2.0 will hurt your bottom line, at least initially. You’ll need to make heavy investments in industrial security controls, training programs for cleared personnel, and generous compensation packages to hire/retain experienced FSOs who can navigate this space.   
  • Integration of physical and cyber security: Much of CMMC 2.0 concerns “physical” or “industrial” security. IT and facility teams will no longer act as separate functions. You’ll need them to coordinate with one another to achieve the certification. 
  • Appreciation for the entire supply chain: A cyber attack on one defense contractor can mean access to sensitive information across anyone they work with, including subs, suppliers, and the DoD itself. That’s why CMMC 2.0 seeks to reduce supply chain risk. Keep this in mind as you select software vendors and subcontractors to partner with. Are they secure?  

What Does CMMC 2.0 Mean for FSOs

As mentioned, CMMC 2.0 requirements are reshaping defense contracting. What does that mean for FSOs? A growing set of facility security responsibilities:

  • Collaborating with IT, legal, and risk management teams to obtain and track compliance.
  • Constantly conducting self-directed or third-party security assessments to maintain ongoing compliance.
  • Administering new training for cleared personnel per CMMC 2.0 requirements.
  • Managing documentation for CMMC audits showing either the system security plan (SSP) or POA&M remediation plan to meet requirements.  

This, along with other security industry trends, has reshaped the FSO role. But we also need to give the DoD some credit. While FSOs may have more items to worry about, CMMC 2.0 actually simplified the “compliance” component by making the changes. 

For example, it’s more straightforward for FSOs to determine what new measures they need because there are now only three maturity levels. And the level you need is entirely dictated by the sensitivity of the information handled:

  • Level 1 if you work in federal contracting but do not handle controlled unclassified information (CUI).
  • Level 2 if you work in federal contracting AND handle CUI. 
  • Level 3 if you work with sensitive information pertaining to national security, including Confidential, Secret, and Top Secret status.    

Another advantage is you can self-assess for Level 1 maturity and even waive requirements for specific conditions. 

Addressing FSO Concerns: CMMC 2.0 FAQs

We’ve covered quite a bit thus far. And as an FSO, you might be a little overwhelmed. But don’t worry; we’ll address your most pressing concerns and common questions: 

What are the CMMC 2.0 requirements?

CMMC 2.0 requirements depend on your maturity level. The minimum, Level 1, lists 17 core security domains based on NIST 800-53 guidelines for which you need to adopt controls. The following two levels add more measures from NIST SP 800-171, DFARS 252.204-7012, and AIA NAS9933. Each level also requires ongoing assessments (Self-assessment for Level 1, third-party assessments for Level 2, and government-run assessments for Level 3) to maintain a certification.  

Has CMMC 2.0 been released? 

Yes! CMMC 2.0 released its requirements and certified expectations back in November 2021. Even so, you don’t necessarily need the certification just yet, at least not for certain contracts. Nevertheless, DoD has recommended that contractors begin taking the right steps to achieve the certification.  

When will CMMC 2.0 be required for DoD contracts? 

All DoD contracts, including contractors, subcontractors, and suppliers, will require CMMC 2.0 certifications by 2028. They’re also pushing for phased implementation starting in 2025. Some contractors may need to demonstrate compliance now for specific, high-level national security work. 

What Level of CMMC 2.0 maturity do I need to contract with DoD?

Your level of CMMC 2.0 maturity entirely depends on the scope of work and what information you handle. Level 1 maturity is required if you’re a federal contractor but do not handle controlled unclassified information (CUI). Alternatively, anyone handling CUI needs Level 2 certification, while Level 3 is specific to sensitive national security information at Confidential, Secret, or Top Secret status.   

Get What You Need for CMMC 2.0 With MathCraft.

Is CMMC 2.0 adding more to your plate than you can handle? It doesn’t have to! With the right partner and industrial security management software, compliance can be a breeze. MathCraft Technologies lets you oversee the facility security component of CMMC 2.0 — all in one intuitive interface. Between the document control automation features, facility monitoring tools, and self-service portal for cleared personnel, you’re on the right track to CMMC success. 

Schedule a demo today to see which CMMC areas our facility security software can help you achieve while supporting cleared personnel activity, visitor management, and audits.  

Also, be sure to check out the MathCraft blog for updates on all things defense contracting. We have excellent insights on cybersecurity, NISPOM, industrial security, and more to help your facility security team thrive. 

Scroll to Top