- November 15, 2021
The evolving threat landscape has called for more robust cybersecurity measures, as there has been a 67% increase in security breaches in the last five years. Therefore, the loss of sensitive, national defense information could have grave implications for national security if it falls into the wrong hands.
As a result, the U.S. Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) framework as a unified standard to ensure that all defense industrial base (DIB) contractors and DoD partners meet specific levels of cybersecurity requirements. In addition, the set levels within the CMMC framework helps to increase the preparedness to handle controlled unclassified information (CUI) in the face of a cybersecurity incident.
Announced on January 31st, 2020, the CMMC program comprises various processes, frameworks, and inputs from existing cybersecurity stand like NIST, FAR, and DFARS. This initiative by the DoD is essential for measuring the capabilities, readiness, and sophistication of U.S. federal contractors operating within critical infrastructure sectors and beyond. However, CMMC 2.0 is the revamped version of the CMMC framework.
The newly updated version would reduce the regulatory burden on DIB contractors and DoD partners. In addition, with the program structure and requirements streamlined, it would ease and improve the implementation of the CMMC program. In the interim, the DoD is considering providing incentives to companies who voluntarily obtain a CMMC certification.
Recent Updates Introduced in the CMMC 2.0
The Department of Defence has recently announced BIG changes to CMMC with CMMC 2.0. A presentation held by the CMMC-AB (CMMC-Accreditation Body) with the key members of the federal government contracting committee shed some light on the changes to CMMC. Below are some important highlights of the updated CMMC 2.0 framework:
- The CMMC 2.0 removed Maturity Levels 2 and 4.
- Level 2, previously Maturity Level 3, is based entirely on NIST 800-171 (for CUI contracts).
- Plan of Actions and Milestones (POA&M) requirements are back, with some caveats and a 180-day time limit to complete them.
- Self-assessments are also back for Level 1 and a subset of level 2 (required for non-prioritized government contracts).
- CMMC Third Party Assessment Organization (C3PAO) audits will only apply to level 2 prioritized government contracts.
- The DoD has suspended the pilot program and CMMC requirements in contracts during the rule-making period, which could take 9 to 24 months to complete.
All in all, this is a win for SMB DIB contractors. We can expect further clarification on changes like the bifurcated approach to Level 2 assessment and other intended requirements. In the meantime, these changes do soften the impact of CMMC on the majority of DIB contractors and afford us (GoldSky Security) the time to integrate the needed processes and technology for clients.
Impacts of the CMMC 2.0 Update
The enhanced Cybersecurity Maturity Model Certification 2.0 program follows the original goal of safeguarding sensitive information from cybercriminals. However, the updated version simplifies the CMMC standard and clarifies cybersecurity policy, regulatory and contracting requirements. Third-party assessments and advanced cybersecurity standards are necessary only for those companies involved in the highest priority programs under CMMC 2.0.
While the initial CMMC program consisted of five increasingly stringent levels, the CMMC 2.0 would bring some much-awaited changes. The pilot program level one focused on basic cyber hygiene, while level five included advanced cybersecurity controls. Companies must achieve cybersecurity compliance with lower-level requirements and implement the necessary processes with specific cybersecurity practices to progress to the higher levels.
The CMMC 2.0 update is going to strengthen the cybersecurity posture of the defense industrial base. Lowering the barriers of DOD compliance requirements would ensure accountability for companies to implement cybersecurity standards. It would enhance public trust in the CMMC ecosystem along with increasing the overall ease of execution. The CMMC 2.0 updates would help establish a more collaborative relationship with the industry and develop a culture of cybersecurity resilience.
As the defense industrial base is a lucrative target for cybercriminals, enhancing the DIB cybersecurity is crucial to thwarting the ever-evolving cyber attack vectors. Attaining CMMC accreditation shows that the company has fulfilled all the requirements of the DOD regarding cybersecurity. It builds credibility and also proves that the company is serious about its cybersecurity posture. In addition, a strong partnership with GoldSky’s CMMC service offering can help SMB DIB government contractors and sub-contractors efficiently align their infrastructure with CMMC 2.0 requirements in record time.
The changes brought by the Cybersecurity Maturity Model Certification 2.0 have significantly streamlined the CMMC compliance requirements. In addition, the updated version of the CMMC removed many barriers, thus making it much more feasible for smaller federal contractors to attain CMMC certification. Although defense contractors can achieve certification status without meeting every security control, it is better for SMBs to properly outline their plan of action and meet the requirements for future changes that would most likely arise.
While the CMMC 2.0 version may have made it easier by toning down specific requirements, SMBs must take cyber security and privacy issues seriously. Attack vectors are rapidly evolving, and advanced hacking techniques are becoming more challenging to detect and prevent. Therefore, organizations must engage with a reputable CMMC expert to reduce risk and ensure continuous adherence to the security regulatory and compliance space.