The Department of Defense (DoD) announced significant changes to the Cybersecurity Maturity Model Certification on November 4. (CMMC). The CMMC has had very modest changes since it became federal law for the first time in December 2020, pushing it to edition 1.02. The framework will now advance to version 2.0, which will include updates to the protocol’s core as well as a simplified structure of security levels and an exemption mechanism.
Officials from the CMMC for DoD contractors have stated that the CMMC 2.0 update will address long-standing concerns in the defense contracting field, particularly among small-to-medium sized enterprises, even if complete details are still pending (SMBs). The compliance burden for many firms will be significantly reduced since the obligation for third-party evaluation will be eliminated for more than half of the defense industrial base.
Although it will be at least nine months before the new CMMC criteria appear on contracts, vendors planning for CMMC adherence will require that time to adjust their plan and prepare for the recent changes to the rules.
A new course for CMMC
The CMMC has served as a template for government organizations looking to impose higher requirements of cybersecurity adherence on their supply chain participants ever since it was initially unveiled in 2019. This objective has never been more crucial than it is, following a year of unprecedented assaults highlighting serious vulnerabilities within federal agencies and contractors.
The Department of Defense (DoD) has, however, struggled to strike a balance between “adopting the policies they need to counter cyber attacks” and “minimizing hurdles to compliance,” according to DASD for Industrial Policy.
As a result, lawmakers and business executives have voiced concerns that certain defense contractors may find the CMMC regulations burdensome or expensive.
The DoD has recently indicated a new route for CMMC DFARS that considers these issues: CMMC 2.0 will give small enterprises in the defense contracting market more adaptability with less dependence on third-party evaluation and a more simplified core structure.
Steps to Take When Preparing for CMMC 2.0
CMMC 2.0 keeps some significant consistency with current cyber security laws and compliance procedures. It also holds defense vendors to a high threshold of accountability and cyber-readiness, a considerable advancement.
While there are still many unresolved issues regarding the new program, it is never too early to begin preparing by following a few straightforward steps:
Install C-Level officials to authorize annual evaluations; many firms are accustomed to the present NIST SP 800-171 self-certification procedure. A Level 1 or Level 2 organization that is not storing prioritized CUI will need an executive level officer to approve the self-assessment under CMMC 2.0. At the same time, most of the processes will stay the same.
Utilize DoD resources. With the new CMMC 2.0 approach, the DoD has committed to assisting its partners in any way it can. Resources like Project Spectrum, which offers organizations free instructional resources and a cyber readiness check, are two examples of how the DoD can help.
Get a preparedness assessment; since it is based on current NIST requirements, you may immediately start putting your company in place for CMMC 2.0 compliance. A competent preparedness assessment will identify weaknesses in your assets and infrastructures and create an organization-specific road map for CMMC 2.0 compliance.