Not much is set in stone right now when it comes to CMMC compliance. DoD contractors and cybersecurity professionals alike are waiting for answers from policy makers on what CMMC 2.0 will officially look like before deciding their next steps.
Even though it will be between an estimated 9-24 months before we get our answers, there are still many reasons to start the journey of CMMC compliance now rather than later.
But First, A Little CMMC Refresher
The Cybersecurity Maturity Model Certification (CMMC) program was initially released in January 2020 with the intention of improving cybersecurity standards for Department of Defense (DoD) contractors that possess Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CUI is government created and owned information, like blueprints and intellectual property, and FCI is any contract to develop or deliver a product to the Federal Government.
CMMC 1.0 vs. 2.0
CMMC 1.0’s replacement won’t be here for quite some time, but here are three of the biggest differences between 1.0 to 2.0 based on what we know so far:
- Elimination of levels 2 and 4
- Level 1 will now be a self-assessment
- The Plan of Action and Milestone (POA&M) process is back
The biggest reason for reducing CMMC from five levels to three is to reduce confusion. Not everyone knew which level of CMMC they needed to comply with, so most were aiming at Level 3 right off the bat because the DoD dubbed Level 3 as “Good Cyber Hygiene.”
In addition, no one was 100% certain which contractors would be required to comply with Level 5. By removing Levels 2 & 4, policy makes have alleviated some of the confusion regarding which level of compliance is required.
In addition to the elimination of two levels, Level 1 will now be a self-assessment. Previously, all DoD contractors were required to have a certified third-party assessment completed regardless of compliance level. The new self-assessment will level the playing field and allow smaller contractors to continue to compete for DoD contracts against larger organizations.
Lastly - and in my opinion, the most notable difference - is the reinstatement of the POA&M process. According to Covington & Burling LLP, “These changes are also notable, as DoD previously indicated that a significant driver of its shift to the CMMC model was to move contractors away from reliance on POA&Ms and to require contractors to achieve full implementation of required security controls in order to perform work on DoD contracts involving sensitive information.” In short, this process is no longer pass/fail and allows contractors to still achieve certification as long as they have a plan set in place to comply with all the requirements of the level they are after.
According to Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, these modifications “establish a more collaborative relationship with industry,” and “will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
When will CMMC Compliance Become Mandatory?
We have established that CMMC rule making is still underway and will be for quite some time. So when will DoD contractors be required to comply with 2.0?
CMMC 1.0 was set to go into full effect by October 2025. This meant that all DoD contractors would be required to meet some level of CMMC compliance by this time or they would no longer be able to compete for these contracts.
The announcement of CMMC 2.0 has flipped everything upside down. Since CMMC 2.0 will not be officially released for at least another 9-24 months, October 2025 is subject to change as the mandatory requirement date.
Three Reasons to Start Now
Even though there is still some time before CMMC 2.0 is officially fully developed and released, there are still many reasons why DoD contractors should start the compliance process now, rather than later.
1. Compliance Takes Time
The first reason to start now is simply because compliance takes time. While we don’t know exactly what CMMC 2.0 is going to look like quite yet, we do know that compliance won’t be an overnight fix. CMMC level 2 will be directly aligned with NIST 800-171 and, according to Kelser, generally takes 6-8 months to comply with due to the 14 key areas of considerations.
In our experience assisting clients through these compliance requirements, the timeline to implement the security controls required in NIST 800-171 does take sustained effort, dedicated resources, a defined budget and plan. The additional time afforded to those in the DIB (Defense Industrial Base) is a blessing in disguise and should be used to its full extent.
2. Reduce the Likelihood of a Cybersecurity Incident
The second reason to start now is to reduce the likelihood of a cybersecurity incident. NIST 800-171 is considered good cyber hygiene and the cybersecurity improvements that are made when implemented can drastically decrease an organization’s overall risk posture. Start your journey by focusing on one or two key areas. If you try to tackle all 14 control families at once, your organization will easily become overwhelmed.
For example, when it comes to end user related security controls, a company is only as secure as its weakest link. Whether we realize it or not, cybersecurity is the responsibility of everyone, no matter your job title. From CEO to intern, good cyber hygiene must exist at every level. This includes ensuring strong passwords are in place and making sure to take the extra time to verify a link in an email is legitimate before clicking on.
Based on that, if one of your starting points is user training and awareness, you should ask yourself, “Are my employees properly instructed on how to identify a phishing email or scam?” If the answer is no, have your security team work with HR to get a security training course out to all employees that incorporates regular testing and perhaps even live training modules. Employees also need to be able to report indicators of insider threat per NIST 800-171, and that can be no easy thing to identify without proper training.
If you haven’t started yet, we recommend tackling one task at a time and before you know it, you’ll be that much closer to an improved cybersecurity posture.
3. Potential Financial Incentives
The third reason to start CMMC compliance now is potential financial incentives. While the CMMC pilot efforts have been suspended until rulemaking is completed, an article in the National Defense Magazine states that the “department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.”
In addition to the incentives noted above, prime contractors and the DoD are taking notice of those in the DIB who are taking cybersecurity seriously, and organizations that choose to voluntarily comply and go through an independent audit will likely take a front seat when it comes to contract awards. The incentives related to that sort of head start could be immeasurable.
The Bottom Line
It could be up to two years before we have all our questions answered regarding CMMC 2.0, but that doesn’t mean we should wait to start the process. CMMC isn’t going anywhere and the defined path forward will be here before we know it. We recommend taking advantage of this extra time to plan and budget for compliance efforts.
Take advantage of DoD Project Spectrum (https://www.projectspectrum.io/#!/). While targeted towards small and medium sized contractors, there’s lots of great information on how to become compliant.
Cybersecurity is easily one of the best investments a company can make. Don’t wait to start and get ahead of CMMC. The countdown starts now.