If you do business within the United State's Defense Industrial Base, Cybersecurity Maturity Model Certification has likely been on your mind for quite some time. Since this fortification of the DoD's cybersecurity standards was unveiled, members of the DIB have been scrambling to prepare for their first CMMC audit. Technology moves fast, however. The guidelines around CMMC have consistently been subject to change since they were announced.
The early information surrounding the implementation of CMMC was met with a mixed response. In one respect, there were parties who welcomed the new standards and argued that this would make their business safer and more efficient. Conversely, many contractors felt that many of the CMMC standards were unnecessarily stringent. They argued that many of the expectations were unfair because access to Classified Uncontrolled Information is not equally distributed across the DIB.
In response to this discourse, the Department of Defense ultimately decided to revise its guidance around implementing Cybersecurity Maturity Model Certification. The expectations have changed and are now known as CMMC 2.0. Changes in the DoD's guidance do not make this information any less critical. It is very possible that more changes are on the way, but for now, there are a few things you can do to prepare.
CMMC: Revisiting The Basics
While you may already be familiar, reviewing the basics of Cybersecurity Maturity Model Certification will help you understand the changes present in CMMC 2.0. Simply put, CMMC is a fortification of the existing DoD cybersecurity standards. DIB contractors are required to comply with the Defense Federal Acquisition Regulation Supplement according to standards outlined in NIST 800-171.
Before CMMC, contractors could self-certify their compliance with DFARS and NIST 800-171. CMMC established an accreditation body that would ensure that contractors were in compliance using third-party auditors.
CMMC 2.0
Initially, a CMMC audit would be scored according to five maturity levels. The first major change under CMMC 2.0 is that these maturity levels have been revised. Rather than five levels of maturity, there are now only three. The other major change has to do with the third-party accreditation services. Originally, every DIB contractor would have been subject to an audit. This was true no matter what maturity level the contractor was required to achieve. Now, the accreditation requirements have been relaxed as well. If you are a DoD contractor who does not handle sensitive information, you will no longer have to certify with an accreditation service. You will be allowed to self-certify the integrity of your cybersecurity network.
How To Prepare
Under this updated framework, the first thing you should assess is the nature of the information you handle. For contractors who do not handle Classified Uncontrolled Information or High-Value Assets, only self-certification will be necessary.
If your organization handles CUI or HVA, then you will need to determine what level of CMMC you will need to comply with. Once you've done this, it is recommended that you work with a compliance management service to prepare a timeline to reach compliance.