On November 4th, 2021, the Department of Defense (DoD) announced changes to Cybersecurity Maturity Model Certification (CMMC) with the release of CMMC 2.0. More information will be released soon, but some of the changes from CMMC 1.02 to CMMC 2.0 are drastic (from the surface). Here is a high-level breakdown of what’s changing, and what you should be focused on moving forward.
First, and most importantly, organizations that contract with the DoD, while handling Controlled Unclassified Information (CUI) on non-federal systems, are still required to meet TODAY’S requirements (DFARS 252.204-7012, 7019 and 7020), which have nothing to do with CMMC. This needs to be said, as it seems to be getting lost in the complaining, celebrating, and noise-making of CMMC 2.0’s release.
From the surface, it appears there were a lot of drastic changes from CMMC 1.02 to CMMC 2.0. However, when you look at what is required today vs what will be required in the future, things didn’t really change that much. NIST SP 800-171 is, and always has been, the backbone and associated focus of protecting the confidentiality of CUI. Under NIST 800-171, contractors are required to show policy and procedure documentation, to support their implementation. CMMC was originally developed to verify that the accountability of defense contractors was taking place, versus a self-assessing trust model that wasn't working.
Through the early days of CMMC, to the DFARS Interim rule, and now the release of CMMC 2.0, it is blatantly clear that the DoD is putting as much accountability as they can on the supply chain. The DoD and tier-one contractors have a lot of accountability themselves, but to create a collaborative model, accountability is now required in areas it wasn’t previously. For example, CMMC has put a big emphasis on leadership buy-in and responsibility between the contractor and the providers it chooses to use to implement NIST SP 800-171, FAR 52.204-21, etc. Accuracy, planning, budgets allocated to resources, and proactive measures to hit the goals set forth, are met. More importantly, having a System Security Plan (SSP) that you can stand behind and defend, is what the DoD wants to see.
At Beryllium and cuick trac™, that’s what we do for our clients. We advise on first establishing where an organization is, today, in their compliance program. Focusing on current progress of implementing NIST SP 800-171, building the correct strategic plan to hit established timelines, and how the organization's managed compliance program stays in place, while threats and requirements continue to evolve.
For those who see CMMC 2.0 as a “victory” or a “told ya so!” moment, so they DON'T have to increase their cybersecurity requirements and compliance programs, they’re going to fall even further behind. Beryllium and cuick trac™ engage with organizations who are proud to be part of the DoD supply chain, and more importantly, understand that our national security is at risk. We will continue to be part of the solution!
If you’d like to discuss CMMC 2.0 in more detail and figure out the best path forward for your organization, contact us and speak with one of our cybersecurity advisors today.