The five-year implementation time allows defense contractors in the DoD supply chain who process sensitive government information to obtain CMMC certification, demonstrating the level of cybersecurity maturity required in their respective DoD contracts.
However, in November 2021, following a review as part of the Biden Administration’s effort to enhance the security of the US supply chain, the DoD announced its proposed changes to the CMMC program. Under the new approach, which has yet to be officially implemented, the CMMC framework would be updated and significant changes made to the requirements for contractors. These changes are now progressing through the rulemaking process and are expected to be introduced in the next 9 – 24 months.
CMMC 1.0 consisted of 5 different levels, whilst the new framework has simplified this down to three levels and removed some of the requirements for third-party assessments at the lower maturity levels.
[Image from https://www.acq.osd.mil/cmmc/about-us.html]
As well as the move away from third-party assessment for all the levels, CMMC 2.0 introduces the ability for companies, under certain limited circumstances, to make Plans of Action & Milestones (PoAMs) if not all requirements are met. This enables the DIB organizations to move forward on their contracts whilst simultaneously closing any compliance gaps. Waivers to CMMC certification will also be allowed in limited circumstances.
Following a review of the existing framework by the DoD, CMMC 2.0 was announced. The aim of this was to introduce a more streamlined model that aligned with widely accepted standards, such as NIST. The changes are also intended to reduce assessment costs through the introduction of self-assessments for the foundational levels. With the introduction of Plans of Action & Milestones (PoAMs) to achieve certification in certain circumstances, it has made the scheme more flexible and easier to implement.
The changes to the requirements will give a lot more flexibility to contractors in how they can become compliant, with self-assessment becoming an option for so many of them. This means that it will be simpler and cheaper for many smaller contractors, who will no longer need to seek third party assessment. The reduction in the number of levels for CMMC and the number of practices at each level means that it will be a more straightforward process to become compliant, and many of the DIB organizations should already be fully level 2 compliant if they have NIST 800-171 compliance requirements from existing contracts. The introduction of PoAMs will also make it more manageable for organizations to not disrupt their work whilst closing any compliance gaps in a reasonable timeframe.
The alignment to the NSIT frameworks, specifically NIST 800-171 for level 2 and NIST 800-172 for level 3, means that organizations already working to these frameworks will find it easier to meet the requirements of CMMC v2.0.
Whilst the rulemaking effort is ongoing, the DoD intends to suspend the current CMMC piloting effort and will not approve inclusion of a CMMC requirement in any DoD solicitations, so there will not be any immediate requirement for CMMC for contractors to consider.
The official rollout of CMMC v2.0 is likely to happen between July 2022 and November 2023. However, the DoD have stated that they are exploring opportunities to provide incentives for contractors who voluntarily obtain CMMC certification in the interim.
This places greater focus on contractors’ NIST 800-171 compliance in the short term. So, in the meantime, if you think that you will have contractual requirements to obtain CMMC certification in the future, ensuring that you are compliant with the requirements of NIST 800-171 would create a solid foundation to build from.
With cybersecurity being defined as a “core national security challenge” and an ongoing area of focus of the Biden Administration, it is important for companies to continue to enhance their cybersecurity posture and to be prepared to comply with the CMMC requirements when the rulemaking process is complete.
If you want to assess the compliance of your core network devices, Nipper is a valuable tool for auditing firewalls, switches and routers, with out-of-the-box capability to evidence compliance with NIST 800-171 and CMMC, as well as other Risk Management Frameworks. Request a free trial to see how the software can benefit your organization.
Matt Malarkey