By Emily Newton, Editor-in-Chief at Revolutionized Magazine
The United States Department of Defense (DoD) announced CMMC 2.0 in November 2021. Fully rolling out this new version of the DoD’s Cybersecurity Maturity Model Certification will likely take until 2023.
Even with that forgiving on-ramp for becoming compliant, there are definite advantages to suppliers and other contractors that take the time to understand what’s changing and make appropriate adjustments before the final deadline.
These revisions were made to answer complaints from the contractor community that CMMC 1.0 was too difficult and burdensome to adopt. The DoD listened, which means the time to adapt to these changes has arrived. Companies that make the prescribed changes before their peers will find themselves in a far more competitive position.
What Is CMMC?
The Cybersecurity Maturity Model Certification is a DoD program designed to unify national Defense Industrial Base (DIB) cyber certification models. Its purpose is to ensure contractors within supply chains critical to national defense abide by a common set of rules for information handling, data storage and cybersecurity precautions.
CMMC applies to all Defense Department contractors but is not required for every contract. This may change in the future. It’s also possible that CMMC will one day apply to contracts beyond the DoD.
Obtaining certification under this program carries a cost for the contractor. It depends on which CMMC maturity level they’re targeting, the size of the contractor and other factors. Certification involves third-party assessments conducting impartial audits at the request and expense of the contractor.
What’s Different in CMMC 2.0?
The Defense Department cites supply-chain challenges, material shortages, cybersecurity concerns, international competition and espionage as additional reasons for amending CMMC.
This newest iteration of the Defense Department’s Cybersecurity Maturity Model Certification is designed with suppliers and other contractors as a top-of-mind concern. The changes center on these areas:
- Making CMMC-based protections more robust in light of emerging cyberthreats
- Restructuring CMMC’s maturity levels to make compliance more straightforward for contractors
- Improving the general accessibility of the process to encourage more widespread participation and shore up holes in national supply chains
- Bringing down the cost of obtaining certification for contractors by improving approval protocols
It likely won’t be until 2023 that the DoD begins requiring CMMC compliance among contractors more widely. Nevertheless, there are benefits to becoming familiar with these new standards and adopting them early.
1. Improved Relevance and Credibility
The bigger players within the Defense Industrial Base began implementing CMMC 1.0 and CMMC 2.0 standards as soon as they became available. They wanted to remain relevant and credible players.
The same is true for any smaller or mid-sized company that wants to be taken seriously within the DIB. Cybersecurity is national security. Any contractor wishing to do business with the DoD needs that truth baked into their culture and data-handling processes.
2. Safer Intellectual Property and Supply Chains
In politics, it’s popular to refer to strong regulations as burdensome. The business community knows better. The United States is globally competitive because of a relatively stronger regulatory environment than other markets.
Regulations are not burdensome or a measure to appease bureaucrats. Adhering to CMMC 2.0 and standards like it helps companies protect their intellectual property, networks, client data, connected equipment and other assets. It might feel like the DoD is constantly raising the bar for smaller and mid-sized contractors, but that’s because threats don’t take a day off. They become more sophisticated all the time.
CMMC 2.0 is designed to help defense contractors keep themselves and the nation safe. Staying safe is simply good business, no matter what other benefits might be in the offering.
3. A Roadmap for Growth
The Defense Department reduced the CMMC maturity levels from five to three under the new 2.0 framework to curb confusion and make the certification process more accessible.
Level 1 — the foundational level — includes 10 cybersecurity best practices, annual self-assessments and other requirements. Levels 2 and 3 — the advanced and expert levels — require compliance with as many as 110 distinct best practices as identified by the National Institute of Standards and Technology (NIST).
This way, CMMC 2.0 provides a roadmap for growth for contractors and a clearer and more accessible one than CMMC 1.0 provided.
The other benefit of making the maturity levels clearer and more attainable is to help companies avoid becoming the weak link within their value chains. It’s also easier for companies to recertify in the future when DoD cyber standards inevitably evolve again.
Early adopters of CMMC 2.0 will have far less trouble rolling with the punches when those changes come. As companies gain proficiency with the lower maturity levels in these early days, the 2.0 changes make it easier to recertify for even higher maturity levels — potentially long before competitors are aware they’ll soon be accountable to CMMC mandates.
CMMC provides guidance for several specialization areas, including:
- Access control
- Auditing and accountability
- Personnel security
- Physical protection
- Risk management
- Situational awareness
- System and information integrity
Early adoption of CMMC 2.0 doesn’t just unlock doors and contracts — it also reveals weak spots with targeted specificity. DoD contractor aspirants will realize better earnings by paying attention to their cyber weaknesses as early in the game as possible.
Get Cybersecurity Maturity Model Certification Before the Rest of the Pack
The threat landscape in public- and private-sector supply chains is clear, and the U.S. government is signaling that cybersecurity is among its top concerns.
Even before considering bad actors operating domestically and abroad, the potential for data loss and mishandling among suppliers and supply-chain operators is immense. Strong unifying standards like CMMC 2.0 are intended to help defense contractors add conscientious data-handling practices to their company cultures.
CMMC was a significant step forward in unifying and clarifying the government’s cyber standards for DoD suppliers and other contractors. CMMC 2.0 takes those standards further while reducing companies’ financial and practical burdens.
Emily Newton is the Editor-in-Chief at Revolutionized Magazine. A regular contributor to Brilliance Security Magazine, she has over four years of experience writing articles in the industrial sector.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.