The Department of Defense (DoD) is poised to launch the Cybersecurity Maturity Model Certification (CMMC) version 2.0 by early 2025, a significant upgrade aimed at fortifying the cybersecurity defenses of the defense industrial base while addressing criticisms leveled at the original CMMC 1.0.
Streamlining Cybersecurity Requirements
The CMMC 2.0 initiative introduces a streamlined, three-tiered certification model, replacing the complex five-level structure of CMMC 1.0. This restructuring aims to simplify compliance and enhance cybersecurity measures across the defense supply chain:
- Level 1: Basic cyber hygiene for contractors with federal information but no Controlled Unclassified Information (CUI).
- Level 2: Intermediate protection for contractors handling CUI, equivalent to the previous Level 3.
- Level 3: Advanced safeguards for contractors dealing with critical CUI and high-value technologies, replacing the previous Level 5.
By reducing the number of levels and aligning the requirements more closely with the National Institute of Standards and Technology (NIST) standards, specifically NIST SP 800-171 and NIST SP 800-172, CMMC 2.0 aims to make cybersecurity compliance more straightforward and effective.
Flexible Assessment Procedures
A key feature of CMMC 2.0 is its flexible assessment procedures. Contractors at Level 1 and some at Level 2 can now perform self-assessments, significantly reducing the cost and administrative burden. For Level 3 contractors, which handle the most sensitive information, rigorous evaluations will be conducted by government auditors to ensure compliance with the highest security standards.
David McKeown, Deputy Chief Information Officer for Cybersecurity, emphasized the importance of these changes at the Potomac Officer’s Club Cyber Summit: “We’re moving forward, hoping by the first quarter of [2025] we’ll be able to start enforcing this and putting this in contracts.”
Responding to Industry Feedback
The DoD has actively sought and incorporated feedback from industry stakeholders to refine the CMMC framework. The public comment period for the proposed rule ended on February 26, 2024, garnering substantial input from various stakeholders. This collaborative approach aims to address industry concerns while maintaining the integrity and robustness of the certification process.
McKeown highlighted the iterative nature of CMMC’s development: “This has been discovered learning, and they’ve got so many roadblocks that have popped up and so much resistance to this, but we feel this is super important.”
Economic Considerations
Cost has been a significant concern with CMMC 1.0, especially for small and medium-sized businesses. CMMC 2.0 addresses this by allowing self-assessments at the lower levels and streamlining requirements to eliminate unnecessary practices. The DoD’s proposed rule outlines that the new model will reduce costs by simplifying the compliance process and increasing oversight for third-party assessments.
“In estimating the public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” the proposed rule states. This cost-conscious approach is part of the DoD’s commitment to making cybersecurity compliance more economically feasible for its partners.
Implementation Timeline
The phased rollout of CMMC 2.0 is scheduled to begin early next year, with full implementation expected by October 1, 2026. The DoD will start including CMMC requirements in contracts once the rulemaking process is completed, ensuring that defense contractors have ample time to prepare for and adapt to the new standards.
McKeown emphasized the importance of these measures in defending against repeated cyber threats: “It’s not just about protecting the data. It’s about doing battle with persistent threats.”
Conclusion
As the DoD moves forward with CMMC 2.0, defense contractors must prepare for these changes by thoroughly understanding the new requirements and planning accordingly. The implementation of CMMC 2.0 represents a crucial step in safeguarding national security and ensuring the resilience of the defense industrial base against evolving cyber threats. By streamlining requirements, reducing costs, and maintaining a robust assessment process, CMMC 2.0 aims to enhance the cybersecurity posture of the entire defense supply chain.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact