CMMC 2.0 Is Coming. Know These 3 Changes

Image by Pete Linforth from Pixabay

CMMC compliance has likely been on your mind for quite some time now. Since it was announced, the discourse around the DoD’s upcoming Cybersecurity Maturity Model Certification program has been vigorous. Some contractors have expressed dissatisfaction with the new model. They argue that CMMC adds unnecessary friction to the industry. Others felt that the standards were too general and placed unfair burdens upon some firms. Additionally, there were contractors who reacted to CMMC with bewilderment and confusion.

Still, the Department of Defense takes its cybersecurity very seriously. This is with good reason. With so much at stake, the DoD can not afford to let cybersecurity standards fall by the wayside. Doing so could have dire consequences for your business and national security. While you’ve likely been on the lookout for the implementation of CMMC for a while, there are some changes you should be aware of.

CMMC 2.0

While the DoD fully intends to move forward with requiring CMMC compliance, it has also remained attuned to the concerns of contractors across the DIB. Chief among these is the sense that CMMC is unfair to contractors who do not directly handle information that is classified or sensitive.

In response, the DoD decided that it was appropriate to revise the existing CMMC standards. The new guidelines are designed to be more efficient while also protecting national interests. The guidelines are referred to as CMMC 2.0, and they consist of three major changes.

Maturity Levels

The most critical development revealed in CMMC 2.0 is its revision of maturity levels. The original framework created 5 maturity levels that contractors had to comply with depending on the nature of their business. CMMC 2.0 revises the number of maturity levels from five down to three.

Third-Party Assessments

The crucial point of the first iteration of CMMC was its implementation of a third-party accreditation body. Specifically, it fortified the preceding DFARS framework by ending contractors’ ability to self-certify the integrity of their systems. Instead, contractors’ would have their systems audited by a third party.

CMMC 2.0 splits the difference between these certification methods. Companies that do not handle Controlled Unclassified Information or High-Value Assets will no longer need to submit to an accreditation body. Instead, they will be allowed to perform a self-assessment once a year.

Firms that do handle HVA and CUI, will be expected to comply with the CMMC accreditation body’s audits as previously planned.

Plan of Action and Milestones

Originally, CMMC would have made firms with non-compliant systems ineligible to bid for contracts. CMMC 2.0 has revised this as well. If a non-compliant firm wishes to bid for a contract, they will be permitted to submit a timeline for when their systems will be in compliance.

Now that the new guidelines are public, your firm should assess the nature of your business in order to determine how you’ll be impacted by CMMC 2.0. You can do this by exploring the new guidelines in detail or by working with an experienced compliance management service.

SEE ALSO: 7 Simple Ways to Increase the Level of Your Data Security