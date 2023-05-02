Now is the time to prepare for CMMC 2.0 if you are a DoD supplier. Be aware that for Level 2 and Level 3 of the new CMMC, a third-party assessment will be required and all of your employees will need to know your policies, procedures, and protocols. Drip7's gamified cybersecurity training platform makes content easy to customize so your employees are prepared.
SPOKANE, Wash., May 2, 2023 /PRNewswire-PRWeb/ -- With the original May 2023 rollout date here, and no official word on when CMMC 2.0 will appear in contracts, speculations have been raging. Some anticipate as soon as June of this year to spring of 2024, but as of yet, no one knows. But does it even matter when it shows up?
According to Noël Vestal, the Compliance Officer at PreVeil, "The most important thing I keep telling everyone is that CMMC is just a certification, NIST 800-171 is the actual compliance framework. And NIST 800-171 is already a contractual obligation NOW. Meaning, people need to address their NIST 800-171 controls… like yesterday."
Whereas CMMC 1.0 may have put the fear of the DoD into companies, the proposed 2.0 seems more reasonable — even if still a massive undertaking. CMMC 2.0 is now exactly in line with NIST 800–171. So what is the concern? It might be that some members of the DIB, who were entering their company's NIST 800-171 self assessment scores into the Supplier Performance Risk System (SPRS) might not have been telling the truth and have a lot of work to do to keep out of hot water.
Unlike the earlier version of CMMC, version 2.0 only allows self assessment for Level 1. Levels 2 and 3 require assessment by a Certified Third Party Assessor Organization (C3PAO). But here's an often overlooked detail that is worth knowing:
The C3PAO can and will interview multiple employees within your organization and ask about policies and security procedures. If you want to pass your certification assessment, make sure your employees are trained. Training is always a key element to staying secure — whether you're seeking CMMC certification or not. But for certification, it is indispensable.
"Everybody that has DoD contracts needs to be getting ready," says Heather Stratford, CEO of Drip7. "You don't want to waste valuable time waiting for the official CMMC update to launch. Start training now."
Ensuring that your employees are well-trained and able to answer questions accurately is crucial. With Drip7's highly customizable content, creating and distributing training material is a breeze. The platform is also mobile-friendly and uses a microlearning format, allowing employees to learn at their own pace. Additionally, the gamified interface leverages the neurochemistry of how brains learn, making retention of information more effective.
All companies can benefit from improved training —not just those awaiting news about CMMC— especially since the DoD is working on a new rule that will bring CMMC like requirements to an even broader set of companies. Defaulting to the NIST framework and maintaining compliance with it, whether contractually obligated or not, is an excellent starting point for cybersecurity.
