Interim DFARS Rules for CMMC Level 3

Maturity Level 3 highlights in the interim DFARS rules for CMMC go into effect on November 30, 2020. These DFARS rules cover changes to both NIST 800-171 and CMMC requirements.

CMMC Section:

  • To handle CUI you must get Level 3 or above
  • Considering removing the 20 additional CMMC practices (on top of 110 NIST 800-171 controls)
  • CMMC requires certification at the time of receiving the award
  • 30% of DIB companies will go for Level 3
  • Cost estimate for Level 3 is $41.6k (will vary depending on complexity, # of sites and applications)
  • $28.6k for the C3PAO assessment

NIST 800-171 Section:

  • It provides a standard NIST 800-171 assessment methodology for 3 levels (Basic, Medium and High)
  • Requirement for assessment level is specified on the contract
  • Basic (most common) level requires self-assessment
  • DoD performs Medium and High level
  • Report results of the assessment (including Basic) to DoD’s Supplier Performance Risk System (SPRS)
  • Contract Officer will confirm results at time of award
  • CMMC phases in during calendar years 2021 – 2025
  • CMMC requires re-assessment no more than every 3 years

For more information on the interim DFARS rule for CMMC, visit the Federal Register website.

Interim DFARS rules for CMMC

For more information about our CMMC related services.

Scroll to Top