On November 4, 2021, the Department of Defense (DoD) announced sweeping changes to the Cybersecurity Maturity Model Certification (CMMC) program. The previous version of CMMC (1.0) is now being upgraded to 2.0, with the continued aim of improving the security of the defense industrial base through assessments and third-party cybersecurity certifications. These changes will affect the nation’s supply chain of more than 350,000 companies worldwide.
As the largest licensed training provider in the Cyber Security Maturity Certification ecosystem, we have put together this in-depth Q&A to help deliver certification clarity and guidance to contractors, subs and organizations around the world.
Q. Is there a replacement for CMMC now that it is undergoing significant change?
A. While CMMC 2.0 is under development, the Pentagon is encouraging defense contractors to follow cybersecurity practices laid out by the National Institute of Standards and Technology (NIST 800-171). If you would like to learn more about NIST and how it impacts your CMMC compliance, check out our brand new NIST SP 800-171 Requirements Training course.
Q. Is there an approximate timeframe for rolling out CMMC 2.0?
A. The discussed timeframe is somewhere between 9 and 24 months to finalize the rulemaking efforts. This includes a 60-day public comment period prior to the rule taking effect.
Q. Why did they make such sweeping changes to CMMC 1.0?
A. To provide clear requirements and accountability. In addition, the Pentagon decided to revamp the CMMC because it was considered too costly and burdensome for many in the defense industry, especially small to medium-sized enterprises that do not have relevant data.
Q. How long will it be before CMMC 2.0 is released with contracts requiring certification?
A. New requirements will not show up in contracts for at least nine months, with the potential for the rulemaking process to stretch out as late as fall 2023.
Q. Under CMMC 1.0 the initial estimate for DoD contractors needing third-party assessment was 350,000. Is that still the case?
A. The DoD estimates that there are roughly 40,000 companies holding controlled unclassified information (CUI) and will still require a third-party assessment.
Q. Will there be any formal announcements or communication regarding CMMC changes?
A. The Pentagon is continuing to finalized and publish details on the updated CMMC standards via the program’s website by the end of 2021.
Q. With the suspension of CMMC 1.0, will there still be a need for companies to seek certification?
A. While the Pentagon will not require the certification as part of any contract until after the rules have been finalized, nearly 500 companies fall into the “level three” category, working on highly sensitive programs. They will still need to follow “expert” cybersecurity practices.
Q. Who will conduct the Level 3 assessments?
A. Unlike the CMMC 1.0 guidance where C3PAOs would conduct the assessments, they’ll now be audited by an internal DoD division, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Q. What does it mean when DoD says that some contractors will be able to self-attest?
A. If a company doesn’t handle data deemed critical to national security, they will only have to self-attest to their cybersecurity practices on an annual basis.
Q. Are there minimal requirements that must be met now in order to be awarded a contract?
A. Yes. Organizations must get started on with their NIST SP 800-171 compliance to meet all 110 controls. Getting started now is key, as preparation can take up to 18 months.
The road to CMMC readiness is a long one. However, it doesn’t have to be hard, and you don’t have to go at it alone. at it alone. Learning Tree will serve as your CMMC certification partner and will help keep you up-to-date on the latest news, requirements and changes.
Still need help?
If you need CMMC guidance or have additional questions, check out our CMMC Business Solutions page or contact us at: 1-888-843-8733.