What Do I Need To Know About CMMC 2.0? The Evolution
If your company is a government contractor or subcontractor, you may be wondering what is going on with the Cybersecurity Maturity Model Certification (CMMC).
This week the U.S. Department of Defense (DOD) announced it is revamping the CMMC pilot program (into a new construct known as CMMC 2.0). The announcement has raised a lot of questions.
You may be trying to make sense of it all and wondering what it means for you. It can be tough to keep track of the daily and weekly developments, especially when you are juggling the million other things that demand your attention when you run a business.
As manager, information security and compliance at Kelser Corporation, a managed services provider, I follow cybersecurity developments daily. I’ll tell you what’s changed and why, how it may impact your business, the expected timeline (as of this moment), and the best steps to take while CMMC is being sorted out.
What Is CMMC?
CMMC is the next generation of protection for data shared within the U.S. Defense Industrial Base (DIB). It has been developed to systematically assess and certify the maturity of an organization's cybersecurity processes and procedures.
Why Is CMMC Changing?
According to the U.S. Office of the Under Secretary of Defense (OUSD) list of frequently asked questions about the update, the DoD received more than 850 public comments in response to the interim rule establishing CMMC 1.0.
Comments focused on:
- reducing costs (particularly for small businesses),
- increasing trust in the CMMC assessment ecosystem, and
- clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.
According to the OUSD, CMMC 2.0 is designed “to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.”
So, in general terms, as with any new process, there will be some evolution and growing pains as it is developed and implemented.
Most people in the IT community anticipated this evolution (and many expect it to continue).
Answers To Your Questions
The redesign removes some of the requirements in an effort to streamline and improve implementation of the CMMC program.
In the meantime, the DoD is suspending the requirement for CMMC in proposal solicitations.
1. What Are The Main Differences?
Here are the differences at a glance:
5 Certification Levels
3 Certification Levels (Eliminates Levels 2 and 4 of CMMC 1.0)
3rd Party Assessment (for all levels)
Some Self-Assessment & Certification Permitted (certain levels)
Discussion Of Waivers For Certain Requirements (details to come)
CMMC Unique Practices
Eliminates CMMC Unique Practices
The changes are designed to make the CMMC process easier, while still maintaining the ultimate objective: strengthening the cybersecurity protocols of organizations doing business with the government as either a contractor or subcontractor.
2. How Will These Changes Affect My Business?
CMMC 2.0 still needs to undergo a 9- to 24-month rulemaking process before it will be implemented (and ultimately required) by contract.
The changes should make it easier and less expensive for companies to implement and monitor.
3. Is CMMC Going Away?
Earlier this year, the White House issued an Executive Order aimed at improving the nation’s cybersecurity stance.
Most IT professionals agree that CMMC may continue to evolve, but it is not going away.
4. What Does The Timing Look Like?
Currently, the timing of incorporating CMMC 2.0 as a contractual requirement looks to be at least a couple of years away.
7 Actions You Can Take While The Details of CMMC Are Being Finalized
Keep monitoring the situation and get your “cybersecurity” house in order. It’s absolutely important for companies to start doing things now.
Here are 7 things to focus on:
1. Implement NIST 800-171
By proactively implementing NIST 800-171 if you haven’t already, you will be in a much better position when CMMC becomes a contractual requirement. NIST 800-171 provides a solid cybersecurity framework to not only protect your company and customer data, but also to prepare you for the requirements of CMMC (version X.0).
There will likely be other changes, but NIST 800-171 is a good cybersecurity baseline to have in place and will make it easier to adapt to the additional requirements of CMMC when it is rolled out.
2. Educate employees about cyber threats
When it comes to cybersecurity, employees are an important line of defense, but they can only help if they know what to do! Make it a priority to provide effective cybersecurity training for all employees.
3. Implement access controls
Know who is accessing your data and when. Proactive monitoring can detect patterns of behavior and identify issues before they get too far along.
4. Authenticate users
Make sure that the person signing in to your infrastructure is really the person you think it is. Multi-factor authentication provides an extra level of security and identification and, in many cases, it is already part of your current software offerings; all you need to do is turn it on!
5. Monitor your physical space
Make it hard for cybercriminals to access your information. Your physical security is as important as your cybersecurity; make sure both are up to snuff.
6. Update security protections
Make sure updates and patches are installed in a timely manner to protect your systems and networks as well as your individual devices.
7. Document cybersecurity policies/procedures
Employees can only be responsible for policies and procedures if they exist. Cybersecurity procedures in particular take time to document and communicate. Changing behavior takes time.
When it comes to cybersecurity plans, the best time to start is yesterday. Being proactive is key to keeping your organization’s information safe.
Wondering If An IT MSP Partner Can Help Enhance Your Security Posture?
You may be feeling overwhelmed with all of the requirements of cybersecurity. Although it’s not right for every business, an MSP can often be a cost-effective solution for small- to medium-sized businesses (SMBs) that don’t have the budget to hire a full-time, on-site IT staff.
If you want to focus on running your company without the added stress of worrying about your IT infrastructure, an IT MSP partner can help.
Kelser Corporation has been partnering with small and medium-size businesses for decades. If you’d like to learn more about how we can help you make sense of CMMC or any other IT issues,
In the meantime, we’ll stay on top of developing news on CMMC and publish updates as the details emerge. Stay tuned!