The Department of Defense (DoD) is preparing to enforce the Cybersecurity Maturity Model Certification (CMMC) version 2.0 starting early next year, marking a critical shift in the defense sector’s approach to cybersecurity. According to David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the DoD, the Pentagon aims to integrate CMMC 2.0 into defense contracts by the first quarter of 2025.
What is CMMC 2.0?
CMMC 2.0 is an upgraded version of the original cyber certification program that was first announced in 2019. The goal of CMMC 2.0 is to bolster the cybersecurity capabilities of the Defense Industrial Base (DIB), while addressing industry concerns that CMMC 1.0 was overly costly and restrictive. This revision streamlines the certification process, making it more practical for defense contractors and subcontractors to meet CMMC requirements without compromising on security.
Under CMMC 2.0, defense contractors handling controlled unclassified information (CUI) must adhere to cybersecurity standards, but the structure is simplified. Instead of the original five-level scale, CMMC 2.0 operates on a three-level scale, which reduces complexity by eliminating unnecessary security practices.
CMMC 2.0 Compliance Levels
CMMC 2.0 reaffirms that contractors must follow the controls set by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The certification now consists of three levels:
- Level 1 (Foundational): Contractors handling the least sensitive information can perform self-assessments to confirm compliance with basic cybersecurity controls.
- Level 2 (Advanced): For contractors handling more sensitive CUI, self-assessments are allowed for some, but many will need to undergo third-party assessments by a Certified Third-Party Assessor Organization (C3PAO).
- Level 3 (Expert): Companies dealing with highly sensitive or classified information must undergo government evaluations. These companies, around 600 entities, are required to meet the most rigorous CMMC certification standards.
Easing the Cost Burden for Contractors
One of the main criticisms of CMMC 1.0 was the cost burden on defense contractors, particularly small businesses. CMMC 2.0 seeks to address this issue by allowing contractors to self-assess for lower levels of certification, thus avoiding the financial costs associated with third-party assessments. For those at CMMC Level 3, though, more rigorous assessments by government evaluators will be mandatory.
The Department of Defense considered the costs of planning, assessments, and compliance in its new proposed rule, aiming to minimize financial impacts while ensuring robust security.
Timeline for CMMC 2.0 Rollout
The public comment period for the new rule ended on February 26, 2024, and the DoD plans to begin rolling out CMMC requirements early next year. Full implementation of CMMC compliance across all contracts is expected by October 1, 2026, although waivers may be issued in select cases.
For defense contractors, early preparation for CMMC 2.0 is essential. Understanding the specific CMMC requirements for each level and planning accordingly will help companies avoid disruptions in securing DoD contracts.
Follow us on our Linkedin page: https://www.linkedin.com/company/dod-cmmc/
Catch up on in-depth explanation of CMMC 2.0: https://dod-cmmc.com/cmmc-2-0-program/