The Department of Defense just announced sweeping changes to their strategic initiative, CMMC (Cybersecurity Maturity Model Certification).
After an assessment of over 850 public comments, the department’s leadership determined that CMMC would evolve into what they’re referring to as CMMC 2.0
The new direction is actually great news for government contractors because they’re making CMMC requirements and assessments much simpler, while also creating more flexibility and reliable oversight.
Key Call Outs
- Instead of the previous 5 levels, CMMC 2.0 has 3 levels
- CMMC 2.0 will use existing NIST standards
- Instead of a maximum of 171 practices, there’s a maximum of 110, all based on NIST SP 800-172
- Depending on the level, assessments are much simpler. Level 1 contracts can simply complete annual self assessments, while level two will require third-party assessments on a triennial basis, and level 3 will require triennial government-led assessments
Benefits of This New Approach
According to an article by the Office of the Undersecretary of Defense, this approach is beneficial in several key ways:
- Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
- Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards
- Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
- Higher accountability: Increases oversight of professional and ethical standards of third-party assessors
- Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
- Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
Changes to CMMC Timeline
These changes are currently proposed, but not final. Companies will be required to comply once rulemaking is in place. According to the Office of the Undersecretary of Defense:
The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
For more information on CMMC, subscribe to our blog for future updates. Or check out this page