Cybersecurity continues to be a critical issue that is front and center for defense contractors. For the past two years, defense contractors have been preparing for the implementation of the Department of Defense’s (DoD) landmark Cybersecurity Maturity Model Certification (CMMC) program— a cybersecurity training, certification, and third-party assessment program intended to measure the maturity of a contractor’s ability to demonstrate compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
In November 2021, the DoD announced significant changes to the strategic direction of its CMMC program. The enhanced “CMMC 2.0” is intended to simplify the requirements and reduce the compliance burden on contractors. Over the past few weeks, the DoD has released key documentation relating to the updated CMMC 2.0 framework, including a CMMC 2.0 Model Overview, self-assessment guides for the new Levels 1 and 2, and scoping guidance, in addition to other helpful tools for contractors. The updated framework is different from CMMC 1.0 in three key aspects: CMMC 2.0 streamlines the model by reducing the compliance levels from five to three and aligns those levels more closely to existing cybersecurity standards, allows for self-assessments, and increases the flexibility of implementation by allowing plan of action and milestones and waivers in limited circumstances. The DoD has suspended the CMMC pilot program and stated that it will not include CMMC requirements in solicitations until the rulemaking process is finalized— which it estimates could take anywhere from 9 to 24 months.
Overall, CMMC 2.0 maintains the program’s original goal of safeguarding sensitive information but the updated framework minimizes barriers, reduces costs, and makes it easier for small and mid-sized contractors to achieve compliance and compete. Looking ahead, although the final rule is not expected until at least summer 2022, in the meantime contractors should continue to focus on meeting their NIST SP 800-171 obligations and improving their cyber hygiene in preparation for CMMC 2.0 implementation.