On December 26, 2023, the Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. 

Phase 1 (Rule approved)

CMMC Level 1 or Level 2 self-assessments become a condition for contract award. 

Phase 2 (Phase 1 + 6 Months)

DoD will add CMMC Level 2 certification assessment requirements to all new applicable contract awards. 

  • Contractors required to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. 
  • May also include CMMC Level 3 certification assessment requirements in certain contracts at its discretion. 

Phase 3 (Phase 2 + 1 Year)

DoD will extend the CMMC Level 2 certification assessment requirement to applicable contracts that were awarded prior to DoD’s finalization of the CMMC rule. 

  • DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment. 
  • DoD will add CMMC Level 3 certification assessment requirements to all applicable contract awards. 
  • Contractors required to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. 
  • May also include CMMC Level 3 certification assessment requirements in certain contracts at its discretion. 

Phase 4 (Phase 3 + 1 Year)

Full implementation of the CMMC program. DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on existing contracts. 


Are you prepared?

August Schell is a Registered Practitioner Organization (RPO) for CMMC. Here are just some of the services we can help with.

Scoping & Inventory

The most difficult and time-consuming phase of a CMMC Assessment.  August Schells CMMC experts will save you time by mapping CMMC asset categories to your unique environment.  Identifying what assets are subject to CMMC controls, but most importantly what assets are not, saving time and money. As part of this process August Schell will identify: 

  • Controlled Unclassified Information (CUI) Assets 
  • Security Protection Assets: People, Technology, and Facilities performing security functions to protect CUI. 
  • Contractor Risk Managed Assets: Assets that can but are not intended to contain CUI. 
  • Specialized Assets: Assets may or may not contain CUI (Govt Property, IoT Devices, Test Equipment) 
  • Out of scope: Assets that cannot process CUI. 

CMMC Practices Evaluation 

Every organization seeking CMMC certification is unique.  August Schell’s CMMC team will walk through the objectives of all CMMC controls to identify those that do not meet CMMC standards using the most cost-effective means of evaluation by: 

  • Interviewing appropriate staff members. 
  • Examining documents, mechanisms, or activities of the organization. 
  • Testing assets to determine if an objective has been met. 

Implementation & Remediation 

Leverage August Schell’s extensive list of OEM partnerships and engineering expertise to develop a cost-effective remediation plan which ensures your environment meets all CMMC objects, giving you the confidence of knowing your organization meets Department of Defense contract requirements. 

  • Work with system administrators to configure systems to address identified configuration gaps. 
  • Research, recommend, and implement technological solutions which will enable the customer to achieve “Met” result for identified practices gaps. 
  • Working with Managed/External service providers to implement changes under the shared responsibility model to meet practice objectives. 

Assessment Representation 

Remove the stress of dealing with a CMMC Third-Party Assessor Organization (C3PAO) and have August Schell’s CMMC experts do it for you. As a Registered Practitioner Organization (RPO) August Schell’s CMMC team will conduct all phases of the assessment on your behalf, freeing up your employees to focus on their tasks. 

  • Conducting scoping sessions 
  • Present evidence-based answers to the C3PAO to answer CMMC practice objectives. 
  • Serve as technical expert to answer C3PAO assessment questions. 

Want to learn more?