Key Points Covered:
CMMC is Mandatory: If you handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), compliance is required—no exceptions.
4-Phase Rollout Timeline: Starting 60 days after the DFARS rule finalization (expected between July-September 2025), the implementation spreads over 3 years, with increasing certification demands.
Assessment Levels Explained:
Level 1: Self-assessment of 17 basic practices for FCI - all must be met (no POA&Ms).
Level 2: 110 controls and 320 objectives from NIST 800-171 - can start with a self-assessment for 12 months, but eventually requires a C3PAO audit.
Level 3: For high-impact programs - must be government-assessed and preceded by Level 2 certification.
Documentation is Key: A strong System Security Plan (SSP) is essential, even for self-assessments.
Urgent Call to Action: Start preparing immediately, especially if you're aiming for a Level 2 self-assessment window. Delaying could put your federal contract eligibility at risk.
Want Help? Schedule a free discovery call with TechSage Solutions: www.techsagesolutions.com/discoverycall
