Cybersecurity Maturity Model CertificationThe backstory… What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a program launched by the Department of Defense (DoD) to protect controlled unclassified information (CUI) as it relates to this data being shared with the government’s vast array of Defense Industrial Base (DIB) contractors. The CMMC program promised a more rigorous and more uniform assessment and certification process to ensure cyber-terrorist were not getting their hands on data they should not have!
Good News, CMMC 2.0 is coming!
In what we see as good news for small and midsized Defense Industrial Base (DIB) contractors, the DoD updated the CMMC program guidance today. The updated guidance advises there will be a CMMC 2.0 program structure that seems to reduce complexity at first, specifically for smaller contractors. Per the DoD in review of feedback comments related to CMMC 1.0: “…these comments focused on the need to enhance CMMC by… reducing costs, particularly for small businesses… CMMC 2.0 is designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.”
What is different with CMMC 2.0?
For small contractors, it now seems 2.0 will include a more streamlined 3 level structure instead of the previous five levels in 1.0. Further, there is a reference to aligning the standard with the NIST standard, which most DIB contractors are already aligned (or in the process of aligning) with! This could create drastic cost savings for DIB contractors. There is also slated to be a “Foundational” Level 1 in the new model, only requiring 17 practices and following an annual self-assessment model. Take a look at the graphic below for an illustration:
When do I have to comply with CMMC 2.0?
The DoD advises it could be 9-24 months before rulemaking is in place and CMMC 2.0 begins being included as a contract requirement. For some organizations which might be behind the eight-ball, this should be plenty of time to get some of the foundational practices in place, so you are not losing out on new contracts once CMMC 2.0 hits the ground running.
What do I do in the meantime?
For now, your best bet is to stick with aligning your organization to DFARS and NIST 800-171. We expect the CMMC 2.0 practices to be heavily aligned with this standard, so if you are working toward staying in alignment with NIST, you should be in great shape with CMMC 2.0 coming into play!