The Department of Defense’s (DoD) announcement of revamping their Cybersecurity Maturity Model Certification (CMMC) program has left many contractors trying to understand how the update will affect their compliance needs and audit requirements. To offer clarity and guidance on the new framework, we put together a list of the top five questions companies have been asking about CMMC 2.0.
CMMC 2.0 aims to streamline the original assessment framework — while lowering costs and simplifying its implementation — with the following key changes:
This article goes into detail about the major updates to the CMMC program and how these modifications will affect DoD contractors.
The original CMMC program raised significant industry concern about the costs and burdens of meeting stringent cybersecurity requirements and requiring third-party assessments for all contracts at every compliance level. A common criticism was that these substantial investments made it difficult for small- to medium-sized businesses (SMBs) to acquire DoD contracts.
That’s why after a months-long internal review of CMMC 1.0’s implementation — which involved gathering feedback from industry, Congress, and other stakeholders — the DoD decided to make substantial changes to the program’s strategic direction.
In particular, the changes intend to:
Ultimately, the changes reflected in CMMC 2.0 contribute toward further enhancing the cybersecurity of the defense industrial base (DIB).
|
Related reading: The Strategy Behind the DoD’s CMMC Update |
The DoD has been piloting the program with a handful of DIB contractors and was looking to start incorporating CMMC requirements into some contracts in 2021. But in light of CMMC 2.0, the DoD has suspended the CMMC piloting efforts. It also says it does not intend to incorporate CMMC requirements into any contracts until after the rules have been finalized.
While the DoD will not require CMMC certification until it has completed rulemaking, the nearly 500 companies currently working on highly sensitive programs are still obligated to implement controls to protect national security information on their networks. The DoD is encouraging contractors to follow cybersecurity practices laid out in NIST SP 800-171 while CMMC 2.0 is under development.
The DoD has already published materials relating to CMMC 2.0, but certification will not be a contractual requirement until the rulemaking to implement the program has been completed. The DoD expects the rulemaking process and timelines to take between 9 and 24 months.
As part of the rulemaking process, the DoD will publish a comprehensive cost analysis associated with each compliance level under CMMC 2.0. These costs are expected to be significantly lower than the ones associated with CMMC 1.0, because CMMC-unique practices and maturity processes, which would otherwise add to the cost of compliance, will be removed.
In addition, contractors who handle only federal contract information (FCI) and not the more sensitive controlled unclassified information (CUI) will no longer need third-party assessments. This is because CMMC 2.0 will allow annual self-assessments for compliance with Level 1 and a subset of Level 2 rather than certification from a CMMC Third Party Assessment Organization (C3PAO). Self-assessments are less expensive and onerous than third-party and government-led assessments, which is in consonance with CMMC 2.0’s aim of reducing costs.
The path to CMMC 2.0 readiness is a long one — but you don't have to tread it alone. Our compliance experts at Charles IT will be with you along the way and help you stay informed about the latest CMMC news, requirements, and updates. We will also provide you with reliable IT services to help your company meet CMMC requirements. Contact us today to learn more!