May 11, 2022
CMMC 2.0 goes into full effect this year. What does this mean for your organization?
While further changes are still possible, 2022 is expected to be the year for realignment for the training entities charged with providing education needed for the individuals who will eventually assess the cyber fitness of defense contractors. The Department of Defense is hoping for a smoother path ahead for its process of ensuring that all defense industrial base contractors meet cybersecurity requirements for handling controlled unclassified information, or CUI.
A Quick Recap on the CMMC Changes
The new CMMC 2.0 standard includes several key changes. Foremost, it streamlines the levels of certification from five down to three. Level 1, called “Foundational,” is an annual self-assessment with only 17 practices to follow. Level 2, dubbed “Advanced,” includes third-party assessments every three years for the protection of critical national security information, and annual self-assessments for select programs; companies must follow 110 practices aligned with the National Institute of Standards and Technology’s guide on “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The most advanced level, “Expert,” includes third-party assessments every three years, and vendors must follow additional practices aligned with an enhanced version of NIST’s guide on protecting CUI.
Why the Change from CMMC to CMMC 2.0?
The DOD says the new program includes reduced assessment costs, as well as more accountability via enhanced oversight of professional and ethical standards of third-party assessors. Additionally, they state 2.0 is more flexible, because it allows companies to make limited “Plans of Action & Milestones” and grants waivers to CMMC requirements under certain limited circumstances.
The changes were made in an effort to reduce compliance costs (particularly for small businesses), increase trust in the CMMC assessment ecosystem, and clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards.
How CMMC 2.0 Affects You
The requirement for the safeguarding of CUI within an approved environment has not changed and must be fully compliant to the security controls as prescribed in NIST 800-171. This is good news for many organizations, as it makes the entire framework somewhat less complicated while still ensuring the greatest amount of protection.
Let us help you prepare for an audit. We can provide a CMMC Cybersecurity Review which will detail all gaps in your processes and/or controls required to achieve CMMC certification. This report will also make recommendations on how to correct these deficiencies. If desired, we can also help fill in the gaps through managed security services and other cybersecurity services.
Contact us today for a free CMMC 2.0 planning guide.