The Department of Defense (DoD) has released a new version of Cybersecurity Maturity Model Certification (CMMC) requirements for their supply chain. The new CMMC version (referred to as CMMC 2.0) has been drafted in response to more than 850 responses that the DoD received during the public comment period following the release of the initial 1.0 version.
The updated CMMC 2.0 is designed to simplify the certification process, reduce assessment costs, and give suppliers a more flexible path to attain certification.
Here’s a high-level look at what’s changed with CMMC:
- CMMC Levels Trimmed Down From 5 to 3
- CMMC Audit Requirements Reduced
- CMMC Compliance Timeline Changes
CMMC Levels Trimmed Down From 5 to 3
Taking the five CMMC levels down to three and eliminating the CMMC-unique practices is intended to reduce the complexity of compliance dramatically.
Level 1 is unchanged from the original CMMC requirements and still includes 17 basic cyber security practices.
Level 3 has become Level 2, which is considered “Advanced” and is now based solely on NIST 800-171. Within Level 2, there will be two subsets of suppliers – those that need to have a third-party audit and those that can self-assess.
Most companies that are required to comply with CMMC will need to meet Level 2 requirements.
The previous Level 5 is now Level 3. This level is the “Expert” stage for suppliers and will not apply to most companies. This is because Level 3 requirements do not necessarily flow all the way down through a prime contractor’s chain of vendors. It all depends on the information that the vendor is handling.
CMMC Audit Requirements Reduced
Reduced third-party audit requirements dramatically decrease the costs for CMMC compliance for many companies. Level 1 and a portion of Level 2 suppliers need only to complete self-assessments.
For the Level 2 companies that do need to have an audit conducted, they only need to do it every third year. Part of the third-party audit will include demonstrating proof of successful self-assessment for the other two years.
There is also greater flexibility within CMMC 2.0 to allow for waivers in certain circumstances and in others to accept a Plan of Action and Milestones (POAM) towards full compliance, as opposed to proof of full compliance in order to attain certification.
CMMC Compliance Timeline Changes
Until the rulemaking process for CMMC has been completed, there won’t be any DoD contract requirements for compliance. However, that doesn’t mean that suppliers can downgrade the importance of cyber security or neglect getting started on making NIST 800-171 their standard for security practices and processes.
Voluntary audits will begin in 2022, and companies are required to submit their information annually to the Supplier Performance Risk System (SPRS) site. Reviewers will no doubt be looking for progress made with security compared with previous submissions.
Additionally, companies that have submitted a Plan of Action and Milestones (POAM) will likely have a completion date in 2023 and will need to demonstrate that they’re making progress towards getting all of the NIST 800-171 security controls in place.
Contractors are still required to meet all cyber security requirements for Controlled Unclassified Information (CUI) that have been part of DFARS (Defense Federal Acquisition Regulation Supplement) for years.
Working Towards Security Maturity for a Competitive Advantage
Despite the changes and delays in CMMC compliance requirements, companies in the DoD supply chain are encouraged to voluntarily make progress with security maturity. In fact, the Department is evaluating ways to incentivize successful Level 2 attainment before the rulemaking period for CMMC 2.0 is complete.
Registered Practitioners remain the go-to resource for companies who want to ensure that they’re going in the right direction with CMMC and their POAM items. Many executives see working with a Registered Practitioner as a way to mitigate risk, and it gives them the confidence that they’re not going to be left out because of security gaps when new contract opportunities arise.