5 Actions To Take To Prepare For CMMC 2.0
If you are a business leader for a manufacturer that is part of the U.S. Defense Industrial Base, you are likely awaiting word about the new CMMC 2.0 standards. You may be checking the internet every week to see if there is any news about when they will be released. You may be wondering what the new standards will require of your organization.
This whole process has been stressful for organizations like yours. It started with NIST 800-171 requirements. Then came CMMC, followed by the notice that changes were brewing and the reboot (known as CMMC 2.0) would be forthcoming. Now what?
Rather than sit and wait, there are 5 actions you can (and should) take today to position your organization for CMMC 2.0 and, more importantly, provide necessary protections against rising incidents of cybercrime.
I’ve spent the better part of two decades learning about IT and cybersecurity. In this article, I’ll explain what we know so far about CMMC 2.0 and provide 5 actions to take now that will put you in a better position to fulfill the requirements when it is released.
What Is CMMC 2.0?
Here’s some quick background. In November 2021, the Department of Defense (DoD) announced CMMC 2.0, a revised approach to enhance cybersecurity protection standards for manufacturers in the U.S. Defense Industrial Base (DIB).
In particular, it is designed to protect sensitive information, specifically controlled unclassified information (CUI) and federal contract information (FCI), shared by DoD with contractors and subcontractors.
The announcement included a five-year implementation plan.
What Do We Know About CMMC 2.0 So Far?
We know that CMMC 2.0 will be simpler than the original CMMC standards.
According to the Office of the Undersecretary of Defense, CMMC 2.0 will offer three levels of certification (foundational, advanced, and expert).
CMMC 2.0 will:
focus on the most critical requirements
- align with widely accepted standards (like NIST)
- reduce assessment costs
- increase oversight of third-party assessors
- offer a flexible implementation schedule
Take These 5 Steps Now To Prepare For CMMC 2.0
Based on my understanding of the requirements of CMMC 2.0, here are steps you can take now to put your organization in the best possible position for meeting the requirements.
- Review your contracts and determine what information you have that is FCI or CUI, if any.
CUI is information relevant to the interests of the United States that is not strictly regulated by the Federal Government. It includes sensitive, unclassified information that requires controls to ensure its safeguarding or dissemination. Specific categories of CUI can be found in the DoD CUI Registry.
FCI is information provided by or generated under government contract that has not been or is not intended for public release.
Any company that possesses FCI, will need to achieve foundational (level 1) CMMC 2.0 certification, even if they don’t handle CUI. Most organizations that handle CUI will require advanced (level 2) CMMC 2.0 certification.
- Review your system security plan (SSP) and plan of actions and milestones (POA&M) documents. (You do have these, right?)
Does your SSP cover the scope of where you have FCI and CUI? What changes have happened to your environment that need to be reviewed? What actions on your POA&M do you still need to complete? Plan out which of these you will do when and where the money to do them will come from.
- Get your documentation in order. Do you have written cybersecurity policies and procedures in place? Are they being followed? When is the last time you reviewed them? If you were to be audited, would your policies and procedures stand up to scrutiny?
- Test and validate the controls that you are already indicating that you’ve implemented. Remember that security is a process, not a destination, and that you should be reassessing your controls (preferably at least annually). Review your documented policies and procedures to be sure they are effective, efficient, and being followed.
- Go beyond just the basic compliance steps to perform effective cybersecurity for your critical business information.
For example, CMMC doesn’t require that you backup your data, but ignoring backups in pursuit of compliance controls won’t provide any comfort if your business is the victim of ransomware. CMMC experts often tout, very accurately, that the required controls are just a minimum standard and aren’t necessarily indicative of providing active security of your company’s data.
What Could Happen If You Are Not Prepared For CMMC 2.0?
There will likely be a phase-in period for CMMC 2.0. By getting ahead of the game, you will be in a better position when the standards are released.
If your organization doesn’t meet minimum CMMC 2.0 level requirements by the timeframe outlined when the standards are released, you may be unable to bid on contracts and lose revenue. In extreme cases, you could even face business closure.
In the meantime, you are exposing your business to cyber threats.
By starting now, (if you haven’t already,) you’re heading toward a more secure future.
The requirements for CMMC 2.0 don’t have to be overwhelming and they will be less onerous the sooner you start.
How To Get Started Preparing For CMMC 2.0
After reading this article, you now have the latest information about CMMC 2.0.
You know the three levels of certification and how it differs from the original CMMC standards.
You know five actions you can take now to get ahead of the requirements.
And, you know the potential long-term implications of noncompliance.
So, how do you take the actions outlined in this article? You may have an internal IT staff that can guide you on your compliance journey. If you have a small IT staff that needs support or don’t have an internal IT group, you may decide to partner with an IT provider.
No matter which way you proceed, you know what needs to happen and why.
At Kelser, we believe we have a responsibility to provide the information business leaders like you need to keep your IT infrastructure available, efficient, and secure.
We know managed IT services aren’t right for every organization, but whether you choose to work alone or with an outside IT organization, it’s important to take the steps outlined in this article to enhance your organization’s overall cybersecurity.
If you find yourself exploring the idea of using an outside IT provider, read this article to find out more about managed IT: What Does A Managed [IT] Services Provider (MSP) Do? (Essential & Premium Services).