To harden our national security, the Department of Defense (DoD) launched the rule-making phase of Cybersecurity Maturity Model Certification (CMMC) 2.0 on November 17, 2021. Reports indicated that a final set of mandated rules would take 9-14 months to complete and that date is quickly approaching.
As the month’s pass, an increased number of industry leaders are asking how to prepare for CMMC 2.0. Of course, the answer depends on your position in the Defense Industrial Base (DIB) and the level of cybersecurity it warrants. For example, suppose you are a military contractor or benefit from lucrative government supply chain contracts. In that case, it’s crucial to take proactive measures to have your cybersecurity vetted by a qualified Certified Third-Party Organization (C3PAO).
Who Needs To Be CMMC 2.0 Compliant?
The first incarnation of CMMC was set aside because it placed a heavy burden on companies that handled only peripheral military supply chain services. CMMC was built on the idea organizations would meet stringent guidelines based on five cybersecurity levels. The CMMC 2.0 update streamlines the cyber-hygiene levels from five down to three. It also takes a more flexible approach to meeting the federal standards to remain in the military supply chain.
A panel of CMMC 2.0 experts reportedly said everyone would need to be certified. But how to prepare for CMMC 2.0 and how an organization proves its readiness may differ significantly. These are recommendations and information put forward by the ABA Section of Public Contract Law’s Committee on Cybersecurity, Privacy & Data Protection regarding CMMC 2.0.
- Panelists noted that cybersecurity threats are escalating and present a persistent threat to contractors and encouraged contractors to take action now.
- The panelists highlighted that despite streamlining and implementation changes, the basic practices required under CMMC have not changed from version 1.0 to version 2.0.
- All members of the DIB will have to certify, and the only difference is who is doing the certification.
- In addition to the triennial certification requirement, CMMC 2.0 will require all contractors to make an “affirmation” of compliance annually.
- The Department of Justice’s Cyber Fraud Initiative will heighten the risk of liability for non-compliance under the False Claims Act.
- DoD is considering incentives to encourage early certification, which include providing a 4-year expiration of certification rather than a 3-year certification for early adopters.
The experts appeared optimistic that qualified third-party assessors would fill the growing need for certification and compliance. However, the panel members also urged companies to take proactive measures to prepare for CMMC 2.0 and that those who do would more efficiently and cost-effectively navigate the mandate.
How To Prepare For CMMC 2.0
Initial assessments by C3PAOs are slated to begin over the summer months. Contractors must have no more than one year to pass a formal assessment. Failing to gain certification could result in being sidelined and losing revenue from DoD and other federal contracts.
Some were optimistic that more than enough firms with expertise in cybersecurity — specifically CMMC 2.0 — would step forward. Unfortunately, such has not necessarily been the case. Those who procrastinate enlisting a C3PAO could find themselves in a supply-and-demand logjam similar to America’s backlogged container ports. The following are good starting points on how to prepare for CMMC 2.0.
• Identify Your CMMC 2.0 Level: Review the CMMC 2.0 documentation materials and decide which cyber-hygiene level applies to your company. Each of the three levels tasks an operation with meeting best practices, aka “controls,” from the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171. CMMC 2.0 Level one requires an organization to meet 17 controls. Level 3 calls for 110 controls based on NIST 800-171 and yet-to-be-disclosed NIST 800-172 items.
• Follow The Cyber AB: Previously known as the Accreditation Body, the group publishes essential information about critical dates and next steps. It also warns DIB contractors, “the process of accreditation is rigorous. It culminates with an assessment conducted by a team of experienced and qualified professionals to affirm the standards are satisfied.”
• Work With A Cybersecurity Firm: The best way to prepare for CMMC 2.0 is to work with an experienced cybersecurity firm that has already earned C3PAO status. A third-party cybersecurity organization can start preparing your network, end-user devices, data storage security, and transmission methods and educate key stakeholders about the best practices that will be required.
By preparing today for the rollout, you won’t get caught in a backlog of DIB contractors trying to maintain their contracts.
Contact An Experienced Cybersecurity Firm For CMMC 2.0 Compliance
Once the rollout of the DoD cybersecurity mandate begins, the clock starts ticking. Organizations in the DIB are likely to rush and hire a firm to identify their cyber-hygiene level, make necessary upgrades, educate the workforce, and schedule a certification assessment.
Rather than delay, Sedulous Consulting Services knows how to prepare for CMMC 2.0 because we’re an accredited C3PAO assessment firm and cybersecurity experts. Contact Sedulous Consulting Services today.