The Department of Defense’s (DoD) announcement of revamping their Cybersecurity Maturity Model Certification (CMMC) program has left many contractors trying to understand how the update will affect their compliance needs and audit requirements. To offer clarity and guidance on the new framework, we put together a list of the top five questions companies have been asking about CMMC 2.0.
1. What are the key differences between CMMC 2.0 and 1.0?
CMMC 2.0 aims to streamline the original assessment framework — while lowering costs and simplifying its implementation — with the following key changes:
- Reducing the number of certification levels from five to three
- Removing maturity processes and CMMC-unique practices
- Aligning Advanced/Level 2 requirements with National Institute of Standards and Technology Special Publication or NIST SP 800-171 controls
- Basing Expert/Level 3 requirements on a subset of NIST SP 800-172
- Allowing the use of time-limited plans of action and milestones (POAMs) and waivers
This article goes into detail about the major updates to the CMMC program and how these modifications will affect DoD contractors.
2. Why did the DoD make these changes?
The original CMMC program raised significant industry concern about the costs and burdens of meeting stringent cybersecurity requirements and requiring third-party assessments for all contracts at every compliance level. A common criticism was that these substantial investments made it difficult for small- to medium-sized businesses (SMBs) to acquire DoD contracts.
That’s why after a months-long internal review of CMMC 1.0’s implementation — which involved gathering feedback from industry, Congress, and other stakeholders — the DoD decided to make substantial changes to the program’s strategic direction.
In particular, the changes intend to:
- Reduce costs, particularly for SMBs;
- Clarify and align cybersecurity requirements with widely accepted standards; and
- Increase trust and confidence in the framework.
Ultimately, the changes reflected in CMMC 2.0 contribute toward further enhancing the cybersecurity of the defense industrial base (DIB).
Related reading: The Strategy Behind the DoD’s CMMC Update
3. Will companies be required to comply with CMMC 1.0 now that CMMC 2.0 has been announced?
The DoD has been piloting the program with a handful of DIB contractors and was looking to start incorporating CMMC requirements into some contracts in 2021. But in light of CMMC 2.0, the DoD has suspended the CMMC piloting efforts. It also says it does not intend to incorporate CMMC requirements into any contracts until after the rules have been finalized.
While the DoD will not require CMMC certification until it has completed rulemaking, the nearly 500 companies currently working on highly sensitive programs are still obligated to implement controls to protect national security information on their networks. The DoD is encouraging contractors to follow cybersecurity practices laid out in NIST SP 800-171 while CMMC 2.0 is under development.
4. When will CMMC 2.0 certification be required for DoD contracts?
The DoD has already published materials relating to CMMC 2.0, but certification will not be a contractual requirement until the rulemaking to implement the program has been completed. The DoD expects the rulemaking process and timelines to take between 9 and 24 months.
5. How much will it cost to implement CMMC 2.0?
As part of the rulemaking process, the DoD will publish a comprehensive cost analysis associated with each compliance level under CMMC 2.0. These costs are expected to be significantly lower than the ones associated with CMMC 1.0, because CMMC-unique practices and maturity processes, which would otherwise add to the cost of compliance, will be removed.
In addition, contractors who handle only federal contract information (FCI) and not the more sensitive controlled unclassified information (CUI) will no longer need third-party assessments. This is because CMMC 2.0 will allow annual self-assessments for compliance with Level 1 and a subset of Level 2 rather than certification from a CMMC Third Party Assessment Organization (C3PAO). Self-assessments are less expensive and onerous than third-party and government-led assessments, which is in consonance with CMMC 2.0’s aim of reducing costs.
The path to CMMC 2.0 readiness is a long one — but you don't have to tread it alone. Our compliance experts at Charles IT will be with you along the way and help you stay informed about the latest CMMC news, requirements, and updates. We will also provide you with reliable IT services to help your company meet CMMC requirements. Contact us today to learn more!