There are some important updates to the Cybersecurity Maturity Model Certification (CMMC) and all Department of Defense (DoD) contractors need to be aware for the new guidelines. On November 4th 2021, the DoD announced significant changes to the CMMC model that impact all contractors. The goal of the CMMC 2.0 implementation is to streamline and simplify the process to reflect a more advantageous cost model for the Defense Industrial Base (DIB).
In contrast to CMMC 1.0, the new 2.0 model has a consolidated level structure, reducing the model from 5 maturity levels to 3 levels resulting from maturation of the model concept, improved efficiency in implementation and a focus on the most important elements.
Some of the key benefits of CMMC 2.0 include:
- Reduced cost and barriers to entry for small and medium businesses.
- Improved ease of execution of the CMMC process, and enhancement of public trust in the entire CMMC initiative and ecosystem.
- Creation of a more collaborative cybersecurity environment for government contractors.
The Major Updates:
- CMMC Level 1 maintains the same 17 practices but third-party certifications are no longer required. Instead, companies will be required to have a senior official sign an annual self-attestation.
- For companies that hold Controlled Unclassified Information (CUI), Level 3 has been redesignated to Level 2 and the practices reduced from 130 to 110. Additionally, the 4 processes have been eliminated, aligning CMMC with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
- CMMC Level 3 will be 110+ Practices that are derived from NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 and will be necessary for those companies with the most critical defense programs. Those programs will require government-led assessments.
- CMMC 2.0 will now be the new focus. CMMC compliance will become a contractual requirement after DoD completes the rulemaking process which is estimated to take 9-24 months.
What should my company do now?
For companies that do not possess CUI:
- Educate employees on cyber threats and best practices
- Implement Access Controls
- Ensure authorized users are properly authenticated
- Implement and monitor controls governing physical facility and assets
- Understand, implement, and monitor best practices for information security
- Review and apply guidance provided in the CMMC 2.0 Level 1 Self-Assessment documentation
For companies with CUI, compliance with DFARS 252.204-7012, 7019, and 7020 is mandatory.
What are your next steps?
- If your company does possess CUI, conduct a self-assessment for compliance with NIST SP 800-171 and generate a Plan of Action and Milestones (POAM) to document deficiencies and plan a strategy for remediation. Consider prioritizing and/or enhancing controls for the most critical cybersecurity practices and managing your POAM to fully comply with NIST SP 800-171.
- We can help! Contact La Jolla Logic to schedule a free consultation for our preparation and certification services. Get ahead of the competition – start now!
With the year over year escalation in ransomware, malware and other threats, the price for weak security practices and non-compliance is very real. Every business should act now to enhance security practices and reduce the cost and risk of a compromised system.
Staying ahead of the threat is the name of the game.