In November 2021, the Department of Defense (DoD) announced that the Cybersecurity Maturity Model Certification (CMMC) will be undergoing three major changes to help reduce costs, streamline the compliance process, and be better aligned with other federal standards.
The revamped model is called CMMC 2.0, and it has three key changes:
It will have three tiers of compliance instead of five, with each tier completely matched with other cybersecurity compliance standards, such as those prescribed by the National Institute of Standards and Technology (NIST).
It will allow self-assessments for particular contractors in Level 1 and Level 2 that don’t handle controlled unclassified information (CUI).
A Plan of Action and Milestones in lieu of actual compliance will be allowed in special cases, given that contractors achieve all necessary compliance controls within 180 days of being awarded a contract.
These three critical revisions will be a requirement for all Defense Industrial Base (DIB) contractors and subcontractors when the necessary rulemaking is completed, a process that the DoD anticipates could take anywhere from 9 to 24 months. For reference, it took 22 months for the first published draft of CMMC to take into effect under Defense Federal Acquisition Regulation Supplement (DFARS) 7021.
But while CMMC 2.0 may not be fully implemented until late 2023, the DoD will be keeping the public updated on any changes in the previous model. The following information on the timeline for the CMMC 2.0 implementation can help your organization prepare for its imminent rollout.
Codifying CMMC 2.0: What you should know about its rollout timeline
There are still no specific dates as to when the changes in the CMMC will take effect. However, the Office of the Undersecretary of Defense for Acquisition and Sustainment has released the following information regarding CMMC processes and milestones.
1. Suspension of all CMMC pilot efforts
With CMMC 2.0 underway, the DoD has suspended all compliance efforts toward CMMC 1.0, including previously mandatory CMMC certifications. There is also no mention of pilot programs for CMMC 2.0. Instead, the department continues to encourage the DIB sector to enhance its cybersecurity posture and comply with NIST standards while waiting for CMMC 2.0 to take effect.
2. Interim rule
In the spirit of democracy and transparency, any changes in the CMMC shall be released through an interim rule. During this time, a 60-day public commenting period and a congressional review must be done to examine the proposed rule before it passes into law. However, this doesn’t mean that the change will be effective once these conditions are met. As of the moment, there is no mention of a phased rollout.
3. Mandatory rulemaking obligations
Key to the CMMC 2.0 rollout is how soon the DoD is able to address a couple of rulemaking concerns under Titles 32 and 38 Code of Federal Regulations (CFR) to implement CMMC 2.0. Title 32 CFR stipulates federal-level regulations for cybersecurity requirements, and, in effect, establishes the CMMC program. Meanwhile, Title 48 CFR relates to federal-level regulations for acquisitions, including procurement instructions and updates on contractual requirements. The quicker the department can address the necessary rulemaking, the earlier contractors can expect the implementation of the new CMMC model.
4. Possibility of incentives
While participation in CMMC prior to CMMC 2.0 is voluntary, the DoD is exploring the possibility of providing incentives to contractors and subcontractors that voluntarily obtain a CMMC 2.0 Level 2 certification during the interim period. This is good news for organizations that have already taken steps to achieve CMMC 1.0 compliance, as it ensures that their efforts were not in vain.
How to get started on CMMC 2.0 compliance
A strong cybersecurity posture will always be a requirement in securing a DoD contract. While the DoD stresses that it will not approve any contracts that include a CMMC requirement prior to CMMC 2.0 implementation, the department strongly encourages the DIB sector to meet the 110 security controls stipulated under NIST SP 800-171.
This is because NIST SP 800-171 is completely aligned with Level 2 of CMMC 2.0. The similarities between the two compliance models makes it easier for an NIST SP 800-171-compliant company to achieve compliance with Level 2 standards when CMMC 2.0 becomes law.
As such, the best course of action in the meantime is to keep compliant with other federal cybersecurity standards. After all, the DIB is still subject to the Defense Federal Acquisition Regulation Supplement rules, which require meeting NIST 800-171 and DFARS 7012 standards.
Cybersecurity compliance isn’t achieved overnight. As early as now, your company should start preparing for the CMMC rollout. Charles IT is always ready to give a helping hand; talk to our CMMC experts today!