On November 4, 2021, the Department of Defense (DoD) issued a much-anticipated press release on its CMMC. And let me tell you, DoD did something unexpected.
During the release, DoD revealed its plans to retract CMMC 1.0 and replace it with a streamlined version called CMMC 2.0.
The news of CMMC 2.0 is causing quite a stir in the world of compliance. To put it simply, the changes that come with CMMC 2.0 are substantial.
And today, we are going to review everything DoD contractors need to know about CMMC 2.0. And what all this new information means for your business.
But first, let’s start with a CMMC recap.
What does CMMC stand for?
Cybersecurity Maturity Model Certification.
It is a part of the DoD’s efforts to secure the Defense Industrial Base (DIB). At its core, CMMC is a cybersecurity assessment model and certification program.
Who needs to be CMMC compliant?
First, all federal contractors (prime and subcontractors) will need a form of CMMC certification. This also includes suppliers and firms at all levels of the DIB supply chain.
That means the 300,000 + organizations registered to bid on RFP’s for the DoD must have a CMMC certification beforehand.
What has changed from CMMC 1.0 to 2.0?
The focus of CMMC 2.0 is very much the same as CMMC 1.0. Its primary goal is to safeguard sensitive information through implementing regulatory standards and assessments.
But some of those standards and assessment practices will change with CMMC 2.0.
In a nutshell, CMMC 2.0 is all about simplifying the CMMC standard. The 2.0 update provides more clarity on cybersecurity regulatory, policy, and contract requirements.
To help make sense of all these developments, we’ve outlined our top 6 takeaways from the CMMC 2.0 announcement. These takeaways will cover everything you need to know about these upcoming changes.
CMMC 1.0 is no more.
The DoD suspended the entire CMMC 1.0 framework with the CMMC 2.0 announcement. That means companies are not required to obtain certification under the CMMC 1.0 framework.
CMMC Framework is now 3 Levels.
CMMC 2.0 continues to be a multi-tiered framework. However, with CMMC 2.0, there are now only 3 maturity Levels, not 5.
CMMC 1.0’s Levels 2 and 4 are no more. DOD determined that these old levels were primarily transitional and not needed for CMMC 2.0.
Here is what the new framework looks like:
- Level 1 is the Foundational Level, and it remains the same from CMMC 1.0 to CMMC 2.0
- Level 2 is the Advanced Level, and it was formerly known as Level 3
- Level 3 is the Expert Level, and it was formerly known as Level 5.
Major assessment changes.
CMMC assessments are very different in this new version. It is no longer one size fits all. CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with contractor companies.
Organizations in this tier will now demonstrate compliance through annual self-assessments.
Contractors that hold critical national security information will use CMMC third-party assessment organizations (C3PAOs) for triannual assessments.
However, there will be a select set of Level 2 programs that will only need annual self-assessments. Those organizations eligible for self-assessments do not handle weighted information.
All organizations within this level will go through a government-led triannual assessment. C3PAOs will not conduct assignments for this level.
CMMC tracks with existing standards.
I have great news for those who had to be NIST compliant in the past.
The new Maturity Level 2 aligns with the existing NIST 800-171 standard. The DoD has eliminated any additional security practices from CMMC 1.0 for this level.
And CMMC 2.0’s Maturity Level 3 now aligns with NIST 800-172 requirements.
Room of Plans of Action and Milestones (POAM).
CMMC 2.0 allows for POAM to come into play. However, a POAM will not be acceptable for certain “weighted” controls. If a company seeks to use a POAM, it must achieve a certain minimum “score” to be eligible.
There will be a required timeframe for a company to complete all its POAMs. And if a company fails to meet the deadline, it can result in the termination of its contract.
Possibility of waivers.
The DoD will be able to approve waivers for an organization that is unable to meet CMMC requirements. DoD will only approve the waiver if it is necessary to accomplish mission-critical work.
Additionally, these waivers will have expiration dates.
What does CMMC 2.0 mean for your business?
The implementation of CMMC 2.0 will significantly reduce assessment costs for all government contractors at Level 1. And certain a subset of companies at Level 2 will also benefit from this reduction.
While self-assessments do reduce cost, the risk of non-compliance remains the same.
Failure to be compliant can result in the loss of government contracts. But that is not all…
The Department of Justice uses the power of the False Claims Act to help enforce cybersecurity compliance. And the DoJ is actively encouraging whistleblowers to come forward.
What to do next?
Right now, CMMC 2.0 is making its way through the DoD rulemaking process. But that does not mean government contractors are off the hook for compliance.
The Defense Federal Acquisition Regulation Supplement (DFARS) remains in force. Under DFARS, any DIB organization can be selected for a NIST 800-171 audit.
So, companies within the DIB must keep up with their compliance workload. Now is the time to make sure your organization is running a compliant cybersecurity program.
And as you know, compliance and security are no easy tasks, especially for smaller businesses. Many SMBs that work within DIB don’t have the personnel with the ability to handle these tasks.
That’s where MRW Systems’ cybersecurity team, NetGarde, comes in.
NetGarde will help you meet compliance requirements with confidence.
We are an official CMMC Registered Provider Organization (RPO) with Registered Practitioners (RP) on staff. That means we have the certifications and training to help with all things CMMC.
Every single day, we’re helping organizations work towards better compliance. And unlike our competitors, we don’t believe in out-of-the-box solutions.
Instead, we tailor our services to your organization’s needs. This way, you receive the level of care you need. To learn more about what we can do for you, please click here: https://www.mrwsystems.com/cmmc-solutions/