March 8, 2022
What can you expect from CMMC and other federal regulations in 2022? To make these logical predictions, a few quick recaps are in order first. Here are the most recent highlights and how they will affect us this year.
Executive Order on Improving the Nation’s Cybersecurity
The executive order issued on May 12 of last year calls for new data security and incident reporting regulations, publication of requirements for secure software development practices, and establishment of criteria for consumer labeling programs for software and Internet of Things (IoT) devices.
What does this mean for 2022? For starters, the next set of deliverables introduced in the executive order are due this February. These relate to solidifying practices for enhancing the security of the software supply chain, and publicizing criteria for the software and IoT consumer labeling programs.
Civil Cyber-Fraud Initiative
On Oct. 6 of last year, the Department of Justice announced a new Civil Cyber-Fraud Initiative to enforce cybersecurity standards and reporting requirements. The initiative will use the False Claims Act to pursue companies that do business with the government as well as federal grant recipients that “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.”
This year, you can expect the DOJ to pursue enforcement actions against companies. Companies should keep this enforcement initiative in mind as they develop or enhance their cybersecurity policies or take on new cybersecurity contract clauses and seek to limit risk by ensuring they understand, and can comply with, government data security and reporting requirements.
CMMC 2.0
The “big one” happened last November, when the Department of Defense announced an updated version of its cybersecurity certification program — CMMC 2.0 — which includes several changes to the original CMMC program. CMMC 2.0 takes a risk-based approach to protecting sensitive defense information in company systems through rigorous security requirements and third party certifications or company self-attestations. The DoD recently indicated most if not all government contractors working with CUI would be subject to 3rd-party assessments.
Although frequently plagued by delays, it’s highly likely that the formal rulemaking process (including opportunity to comment) for CMMC 2.0 will begin sometime this year in 2022. Once it does, the DOD estimates the rulemaking process will take anywhere from 9 to 24 months. In the meantime, companies that work in the DOD space should be closely following all proposed cybersecurity developments and prepare for the implementation of CMMC 2.0 by continuing to monitor and enhance their cybersecurity posture. Fortunately, this is an area we are experts in.
Rimstorm can help you prepare for your CMMC 2.0 audit in a number of ways. We can provide a CMMC Cybersecurity Review which will detail all gaps in your processes and/or controls required to achieve CMMC certification. This report will also make recommendations on how to correct these deficiencies. If desired, we can also help fill in the gaps through managed security services and other cybersecurity services. Contact us today to learn more.