The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) in 2019. This framework outlined a series of security standards contractors must meet to win DoD contracts, so it’s a big concern for many companies. However, four years later, the Cybersecurity Maturity Model Certification rollout has yet to take effect.
Part of this delay comes from the fact that the DoD has revamped the CMMC. The new framework — appropriately called CMMC 2.0 — makes several important changes and comes with a new timeline. Government contractors may have to adapt to these adjustments and should stay on top of upcoming deadlines as the schedule changes.
Now that the DoD has reworked its security standards, the Cybersecurity Maturity Model Certification rollout timeline looks a little different. The original CMMC framework took effect in November 2020 and established a five-year transition period. After some initial comments, the DoD announced CMMC 2.0 in November 2021.
That announcement did not offer specific deadlines or implementation dates, but the DoD has revealed more since then. The DoD is currently in the rulemaking process for CMMC 2.0. The revised framework won’t be a contractual requirement until this phase ends.
This rulemaking stage can last between nine to 24 months, suggesting it’s coming to a close soon. Recent government updates support this, as a fall 2022 document outlines a May 2023 implementation date for the revised CMMC. If this falls in line with the original transition period, all contracts must meet these standards by late 2025. Even if the DoD delays this rollout again, deadlines will likely arrive sooner rather than later. Consequently, the time to prepare for CMMC 2.0 is now.
It’s important to familiarize yourself with CMMC 2.0 as these tentative deadlines approach. The new framework has several key differences from the first. Most notably, it uses a simplified three-tier system instead of the original five.
The first tier, titled “Foundational”, involves 15 specific security practices, two fewer than CMMC 1.0’s lowest tier. It also allows self-assessment to qualify for this level, where the first framework required third-party audits for every tier.
Level two, “Advanced”, requires contractors to meet the NIST “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” guidance (SP 800-171), standard. It’s the same one they had to attain before the CMMC, but CMMC 2.0 also required third-party assessments for most cases in this tier, which 800-171 doesn’t. Similarly, the third tier, “Expert”, aligns with NIST SP 800-172 (a supplement to SP 800-171), and requires government-led assessment.
Unlike the first framework, CMMC 2.0 also lets the government waive CMMC requirements in some circumstances. It also holds third-party auditors to a higher standard, despite allowing for self-assessment for lower tiers. Like the first version, contractors must achieve higher levels to earn more sensitive and valuable contracts.
As the final stages of the CMMC rollout timeline approach, it’s time to prepare. CMMC 2.0 is more streamlined than the original framework, but early adaptation is still important for a fast, easy compliance process. Here’s how to prepare CMMC 2.0 before the DoD requires it.
The first step in preparing for CMMC 2.0’s rollout is ensuring you understand the specific requirements for each tier. Because the DoD is still in the rulemaking process, some measures may change between now and the final regulations. However, you’ll have an easier time adapting if you’re familiar with the general expectations.
Start by determining your desired level of certification. If your firm deals mostly with low-sensitivity contracts, tiers one or two are likely sufficient. However, remember that aiming for tier three opens the door to more profitable contracts.
CMMC 2.0 follows NIST standards more closely than the first iteration, so you should familiarize yourself with the NIST guidance. Review the latest versions of NIST SP 800-171 and 172. Start implementing some of these controls so you have less to do when compliance becomes mandatory.
As you become more familiar with these standards, ensure that other employees do the same. Any insider can impact security, so security teams aren’t the only ones who should recognize relevant risks and best practices.
Human error is one of the biggest threats to any network, so this training is essential to cybersecurity. Beyond basic protection, CMMC assessors will almost certainly check for insider vulnerabilities. Training all employees on CMMC 2.0 standards and informing them of upcoming deadlines will be an important part of passing these inspections.
Ensure everyone understands the reasoning behind this training. When employees recognize how their actions affect the organization and their own security, they’ll be more likely to comply.
Even though the CMMC rollout timeline is still relatively uncertain, it’s best to assess your standing as soon as possible. Early assessments may not count toward your certification, but they can reveal where your security posture falls short.
Perform a self-assessment, or hire an outside penetration tester to see how you stand up to NIST SP 800-171 or 172. If you pass with no major recommendations, you know you’re ready for CMMC 2.0. If you have room to improve, you can address that now to streamline compliance later.
Third-party and government assessors will likely be remarkably busy as CMMC 2.0 deadlines approach. Consequently, the compliance process may be slow, but you can minimize that by addressing shortcomings beforehand.
Pay attention to the Cybersecurity Maturity Model Certification rollout timeline as it develops. Keep up with any new press releases or similar developments from the DoD to ensure you know all relevant requirements and deadlines.
With so much of the CMMC 2.0 timeline still up in the air, new deadlines and other changes are likely. These could disrupt your operations if you don’t prepare accordingly. Staying informed and working closely with other DoD contractors and industry insiders will help you adapt faster.
As of 2020 — well before CMMC 2.0’s rollout — 34% of compliance teams spent up to three hours a week updating policies and procedures to keep pace with new regulations. Another 31% spent more than eight hours a week on these tasks. Compliance is time-intensive, so these early adjustments are crucial.
CMMC 2.0 will significantly affect how the DoD awards contracts, as well as the risks of noncompliance. If you want to remain competitive in the industry and minimize the cost of compliance, you should start preparing today. Understanding and preparing for these changes now will help contractors ensure success and safety in the future. You can then capitalize on lucrative government contracts early and easily.
About the Author:
Emily Newton is the Editor-in-Chief of Revolutionized, an online magazine celebrating innovations in industry, science and technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.