Our sponsor, Kieri Solutions, has released an in-depth review and analysis of CMMC Level 2 Self-Assessments according to the CMMC Proposed Rule.
Not official guidance for CMMC Proposed Rule
This paper is for educational purposes and is not authoritative in any way for the CMMC Program.
Includes instructions to comment on CMMC Proposed Rule
Towards the end of the presentation, we include links to documents related to CMMC Level 2 Self-Assessment so that you can read them yourself and provide comments.
The comment period expires on 2/26/2024. Make sure to get your comments in before that date!
CMMC Level 2 Self-Assessments are a stringent standard
As you will see in the analysis below, self-assessments don’t get any breaks. POA&Ms are extremely limited and expire after 180 days, just like certification assessments.
CMMC Rule includes timeline, procedures, POA&Ms, and enforcement
What are your thoughts?
Do you think the DoD intentionally left FedRAMP for Security Protection Data Cloud Providers out of the rule?
What will happen if a company uses their conditional self-assessment (POA&M) then has a POA&M for their certification assessment? Will they be allowed to record a conditional certification assessment while not being allowed to record a conditional self-assessment again?
Why are cloud providers not third-party-validated when defense contractors have to do it?