Maturity Level 3 highlights in the interim DFARS rules for CMMC go into effect on November 30, 2020. These DFARS rules cover changes to both NIST 800-171 and CMMC requirements.
CMMC Section:
- To handle CUI you must get Level 3 or above
- Considering removing the 20 additional CMMC practices (on top of 110 NIST 800-171 controls)
- CMMC requires certification at the time of receiving the award
- 30% of DIB companies will go for Level 3
- Cost estimate for Level 3 is $41.6k (will vary depending on complexity, # of sites and applications)
- $28.6k for the C3PAO assessment
NIST 800-171 Section:
- It provides a standard NIST 800-171 assessment methodology for 3 levels (Basic, Medium and High)
- Requirement for assessment level is specified on the contract
- Basic (most common) level requires self-assessment
- DoD performs Medium and High level
- Report results of the assessment (including Basic) to DoD’s Supplier Performance Risk System (SPRS)
- Contract Officer will confirm results at time of award
- CMMC phases in during calendar years 2021 – 2025
- CMMC requires re-assessment no more than every 3 years
For more information on the interim DFARS rule for CMMC, visit the Federal Register website.
