The Department of Defense will do a type of dry run this summer to test out the implementation of its Cybersecurity Maturity Model Certification (CMMC) 2.0 protocol.  Selected defense contractors will participate in “tabletop exercises” where DOD creates a sample program and walks through the entire process.  The agency wants to make sure that CMMC 2.0 is properly configured to examine a proposal and captures the right information.  The final determination of whether contractors that handle Controlled Unclassified Information (CUI) will be able to conduct a self-assessment or will need to have a third-party assessment has not yet been made.  The final rule implementing the CMMC regulation is still in the regulatory process.  DOD officials have said, though, that contractors who hold certain kinds of CMMC Level 2 CUI will only need to do a self-assessment, while others who hold more sensitive Level 2 data will need to get a third-party assessment.  Companies that do not hold CUI, but only hold Federal Contract Information (FCI) will be able to conduct a self-assessment once every three years.  The assessment will review the company’s compliance with 15 security controls outlined in NIST 800-171.  This is likely to be the same standard for companies that only need to have CMMC Level 1 status.  The NIST requirements for each of the three CMMC levels are likely to be specifically spelled out in the final rule, in addition to appearing in NIST documentation.  The entire CMMC implementation process is likely to take years, despite initial statements from DOD that it would be rolled out quickly.  The agency now estimates that approximately 80,000 DOD contractors will be covered by CMMC requirements on some level.  Many larger defense contractors have already taken steps to ensure compliance and are prepared to go through the third-party assessment process.  Smaller, commercial item companies may not yet have done the work.  It is a best practice to look at the NIST 800-171 requirements and ensure compliance with at least the most basic 15 security controls.  Companies are supposed to be compliant with those already, but DOD found that many that had self-certified to that standard did not, in fact, meet it.  CMMC was born of the failure to comply with the NIST standards.  Make sure your company is prepared now so that it can continue to do business with DOD and remember that, coming soon, similar standards are likely coming soon to a civilian agency contract near you.