A recent announcement by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has unveiled several updates to share about the CMMC framework that will benefit businesses working with the U.S. government.

After the Nov. 4, 2021, announcement, there has been a collective sigh of relief by government contractors and subcontractors working with the U.S. Department of Defense (DoD). Many businesses involved in the defense industrial base (DIB) were struggling with how to achieve Cybersecurity Maturity Model Certification (CMMC) in order to qualify for government contracts.

The U.S. government began rolling out the CMMC program last year, but many contractors and subcontractors found achieving CMMC certification was incredibly time-consuming and costly. Many took their concerns about achieving certification to the government, explaining how difficult meeting the obligations of the new cybersecurity regulation was. That feedback led to a lengthy review and changes that now make it easier for manufacturers involved in the DIB to achieve CMMC certification.

What is CMMC?

With businesses and governments around the globe facing ever-increasing and constantly-evolving cyber threats, the Office of the Under Secretary of Defense for Acquisition and Sustainment established the CMMC program. The ultimate goal of the program is to safeguard national security information.

CMMC 1.0

The initial version of the CMMC was outlined and launched in 2019. In September 2020, the DoD published an interim rule to the Defense Federal Acquisition Regulation (DFARS) which implemented CMMC 1.0 and established a five-year phase-in period for the program. The goal was to implement the requirements of the program in government contracts for the U.S. Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA) starting in 2021.

Implementation of the requirements in government contracts was put on hold temporarily to allow time for assessors to get up to speed with the requirements and training needed to allow manufacturers to comply. Once CMMC Certified Assessors (CCA) were trained, certified, and up to speed along with Registered Provider Organizations (RPOs) and Third-Party Assessor Organizations (C3PAOs), it became all too clear that there was not enough manpower or time to handle the tens of thousands of manufacturers and subcontractors waiting to achieve CMMC certification.

CMMC 2.0

In March 2021, the DoD initiated an internal review of CMMC’s implementation with more than 850 public comments responding to the DFARS rule. On Nov. 4, the CMMC-AB issued its press release regarding proposed changes to the implementation of the CMMC initiative. These proposed changes came on the heels of a six-month internal program review by the Pentagon.

The Pentagon announced significant changes to the CMMC technical standards including the removal of two of the five CMMC Levels (formerly CMMC Levels 2 and 4). Additionally, where CMMC had previously not allowed self-attestation at all, CMMC 2.0 Level 1 allows contractors and subcontractors to self-review and attest that they have met the minimum requirements for CMMC certification. Furthermore, the new version of CMMC allows for the inclusion of limited Plans of Action and Milestones (POAMs) as an acceptable form of remediation for certain CMMC practices.

These new changes will make achieving CMMC certification faster, less expensive, and simply easier for small to medium-sized businesses. With these streamlined requirements, CMMC 2.0:

  • Cuts red tape for small and medium businesses wishing to achieve CMMC certification.
  • Sets priorities and best practices for protecting DoD information.
  • Reinforces cooperation between the DoD and the defense industry in addressing evolving cyber threats.

The CMMC Framework

The purpose of the CMMC program is to enhance cyber security for all organizations involved with the DIB. The standards and practices being implemented are meant to provide the best protection for sensitive unclassified information shared between the U.S. government and its contractors and subcontractors. By achieving CMMC certification, manufacturers and other companies involved with the DIB can provide increased assurance to the DoD and NASA that they have the best cybersecurity in place to protect classified and unclassified data.

The Office of the Undersecretary of Defense has outlined three key features to the CMMC framework as follows:

  • Tiered Model: The CMMC program requires companies working with national security information to implement minimum cybersecurity standards at progressively advanced levels (Level 1, Level 2, and Level 3) depending on what type of information the contractor and its subs will be handling. Level 1 (basic cyber hygiene) requires the implementation of the fewest cybersecurity practices while Level 3 requires the most and is the highest level of CMMC.
  • Assessments: The CMMC program allows the government to verify the implementation of clear cybersecurity standards either through self-assessment at Level 1 through a complete, third-party assessment to achieve Levels 2 and 3.
  • Implementation in Contracts: Once CMMC is fully implemented, certain DoD and NASA contracts that require the handling of sensitive information will be required to achieve a designated level of CMMC certification as a condition of the award. For example, if a business wishes to do work on a contract for the DoD requiring a CMMC Level 2, the company must complete CMMC Level 2 of certification as a condition of the contract being awarded.

Matthew Travis, the chief executive officer of the CMMC-AB, was happy to see the improvements to the CMMC process.

“The DoD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish: clarifying the standard, reducing the cost burden, improving scalability, and instilling greater trust and confidence in the CMMC Ecosystem,” Travis said. “There will be some short-term challenges to confront such as curricula adjustments our training providers will now need to make, and the time requirement for yet another round of federal rulemaking.”

Start Preparing Now

If your business has not already done so, now is the time to work toward implementing better cybersecurity standards. There are several steps your company can take immediately to begin moving toward CMMC certification including:

  • Educating and training employees regarding cyber threats and how to prevent them.
  • Implement access controls to business systems, networks, and data.
  • Authenticate users and implement the principle of least privilege.
  • Monitor physical space both inside and outside of your business.
  • Update your company’s security protocols and protections.

If you have questions about CMMC or improving your organization’s cybersecurity, contact ORAM Corporate Advisors at (617) 933-5060. The call and initial consultation are free and there’s no obligation.