A detailed discussion about CMMC (Cybersecurity Maturity Model Certification) 2.0 between Bill Falk from Actifile and Steve Rutkovitz from Choice Cyber Solutions. Steve, with 21 years of MSP experience, explains that approximately 80,000 companies will need CMMC certification starting in 2025.

The discussion covers the transition from CMMC 1.0 to 2.0, reducing from five levels to three levels, with Level 2 requiring 110 requirements (320 individual controls) under NIST-171. Steve emphasizes that companies handling CUI (Controlled Unclassified Information) must achieve Level 2 certification.

The certification process requires extensive documentation, with SSPs (System Security Plans) typically exceeding 110 pages. Audit costs vary significantly, by tens of thousands of dollars. The certification is valid for three years but requires annual attestation and risk assessments.

Steve predicts that CMMC standards will expand beyond the DoD to other government entities and industries.