*** On 11/4/2021 the Department of Defense (DoD) approved changes to Cybersecurity Maturity Model Certification (CMMC) and released what is known as CMMC 2.0.
This blog will outline the changes based on what is known at the time of posting. Our CMMC webpage will continue to be updated as additional changes or information become available. ***
A Strategy to Get Started with an Information Security Program
CMMC 2.0 and how it may impact your organization
KEY TAKEAWAYS IF YOUR TIME IS SHORT:
CMMC 2.0 has redefined the cybersecurity requirements for contractors in the Defense Industrial Base (DIB)
4 key considerations:
- Not all contractors will need certification; but those who don’t still need to self-attest compliance with the same requirements.
- Are you confident enough in your security practices to self-attest compliance?
- Process maturity requirements have been eliminated. You will still need those processes to maintain practices year-to-year.
- CMMC 2.0 will be become a contract requirement once rulemaking completes, expected between 8/2022-11/2023, giving you less time to prepare.
Introduction to CMMC and CMMC 2.0
Published November 23, 2021 – The Cybersecurity Maturity Model Certification (CMMC) was developed by the United States Department of Defense (DoD) and the initial version (CMMC 1.0) went into effect November 30, 2020. It is meant to protect against the theft of intellectual property and sensitive information within the Defense Industrial Base (DIB). In November 2021, DoD announced updates to what is now known as CMMC 2.0. CMMC 2.0 is based on, and replaces the previous requirements of, DFARS, NIST 800-171, and CMMC 1.0. Previously, contractors would self-report they comply without any true oversight or accountability. Now, contractors will need to self-report or be certified at the required CMMC level prior to receiving contracts from the DoD. CMMC 2.0 will take effect as soon as the DoD completes their rulemaking process, which is expected to take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
Change in requirements
CMMC 2.0 has aligned with NIST SP 800-171 by removing 20 practices that were unique to CMMC 1.0. Process maturity requirements have also been removed from the certification process. Even with these requirements being removed from assessment, they haven’t gone away completely.
Self-assessment for some organizations
A majority of organizations will be able to self-assess and report their scores in the SPRS system, a subset will still require third-party assessments to become certified.
It is expected that CMMC will become contract requirement once rulemaking completes, expected between August 2022 and November 2023. This is years earlier than previous CMMC requirement (rollout until 2026).
Dopkins is a CMMC Registered Provider Organization (RPO) for companies doing business with the United States Department of Defense (DoD)
If you would like to have a conversation about the implications of CMMC for your organization, please contact Patrick Rost, CISSP, CMMC-AB RP (email@example.com). Check out our CMMC page for more information about CMMC and how we can assist your evaluation and preparation.
About the Author
Patrick M. Rost, CISSP, CMMC-AB RP
Patrick assists clients with improving their cyber security from a technical perspective. With nearly 10 years of information technology experience in a variety of industries, he is well-suited to assist clients in implementing, maintaining and protecting their computer networking environments.