Many vendors are unsure how the Department of Defense’s (DoD) announcement of a revision of the Cybersecurity Maturity Model Certification (CMMC) scheme would affect their compliance and reporting responsibilities. We compiled a compilation of the leading questions firms have been inquiring about CMMC 2.0 to provide clarification and insight on the new framework.
1. How can you tell the difference between CMMC 2.0 and 1.0?
With the following essential modifications, the latest version of CMMC for DoD contractors attempts to consolidate the existing evaluation method while keeping costs down and facilitating deployment:
- The quantity of qualification levels is being reduced from five to three.
- Eliminating CMMC-specific maturity procedures and practices
- Integrating Advanced/Level 2 standards with NIST SP 800-171 standards from the National Institute of Standards and Technology
- Expert/Level 3 criteria are based on a portion of NIST SP 800-172.
- Using time-limited action plans and objectives as well as waivers
2. Why did the Department of Defense make these changes?
The initial CMMC program sparked widespread anxiety in the industry about the costs and responsibilities of satisfying stringent cybersecurity criteria and mandating third-party evaluations for all agreements at every level of compliance. Small and medium-sized companies (SMBs) have been criticized for finding it challenging to get DoD contracts as a result of these large investments.
That’s why, following a months-long self-assessment of CMMC 1.0’s execution, the Department of Defense chose to make significant modifications to the project’s strategic vision, which included seeking feedback from business, Congress, and other stakeholders.
The reforms aim to decrease expenses, especially for small businesses;
- Clarify and align cybersecurity obligations with generally acknowledged criteria, and boost confidence and trust in the ecosystem.
- Finally, the modifications contained in CMMC 2.0 help to strengthen the defense industrial base’s security (DIB).
3. Since CMMC 2.0 has been released, will organizations be forced to adhere to CMMC 1.0?
The Department of Defense has begun testing the program with a few DIB contractors, with the goal of introducing CMMC DFARS criteria into specific contracts by 2021. However, in consideration of CMMC 2.0, the Department of Defense has put the CMMC piloting program on hold. It also says it will wait until the guidelines are established before incorporating CMMC criteria into any contracts.
While the Department of Defense will not demand CMMC accreditation until it has concluded regulation, the almost 500 organizations working on highly sensitive programs must nonetheless install safeguards to secure national security secrets on their systems.
While CMMC 2.0 is being developed, the Department of Defense is urging contractors to adopt the cybersecurity standards outlined in NIST SP 800-171.
4. When will DoD contracts demand CMMC 2.0 certification?
The Department of Defense has already released information related to CMMC 2.0, but accreditation will not be a statutory obligation until the project’s regulation is finished. The Department of Defense estimates that the regulation process and deadlines will take 9 to 24 months.
5. How much would CMMC 2.0 implementation cost?
The Department of Defense will publish a complete cost study connected with each level of compliance under CMMC 2.0 as part of the regulatory process. Because CMMC-specific practices and maturity procedures, which would otherwise contribute to the compliance costs, would be eliminated, these expenses are predicted to be much lower than those related to CMMC 1.0.
Furthermore, contractors that simply deal with federal contract information (FCI) rather than the more delicate CUI will no longer require third-party evaluations. This is because, instead of requiring validation from a CMMC Third Party Assessment Organization, CMMC 2.0 will enable yearly self-assessments for adherence with Level 1 and a fraction of Level 2. (C3PAO). Self-assessments are less cost-effective and time-saving than 3rd party and government-led evaluations, which aligns with CMMC 2.0’s cost reduction goal.…