CMMC 2.0: Codifying the Proposed Revision

By Eric Noonan • December 29, 2021

Since the revision of the CMMC cybersecurity requirement was announced last month, we have been analyzing and reporting on some of the changes in a series of blogs. So far we’ve covered a range of topics, including the context for the update, the impact on assessments, and changes to plans of action and milestones (POA&M). This blog will address what we currently know about how the DoD will address the rulemaking of this revision. 

 

Timeline of Rulemaking Process

Much has been made of this change to the codifying of CMMC 2.0. The government has said that it will take nine to 24 months to review and complete the rulemaking requirements. Also, it is important to keep in mind that what has been presented and proposed could change. As the process unfolds, public comments will be solicited, which the government will then ingest, possibly resulting in changes to the proposed revision. 

  • If this process takes just nine months to complete, CMMC will arrive three years earlier than what had been planned with CMMC 1.0, which was scheduled to be effective in 2025.
  • If it takes two years and becomes effective in 2023, it will still be here two years earlier than with the previous version.

It appears that people are misreading this severely. When in fact, the DoD has actually taken time off the clock and expedited the need to be compliant. 

 

Suspension of Pilots and Certification is a Non-issue

Another change is that CMMC pilots and certification have been suspended. Which on the surface can seem sensational, but in reality it doesn’t appear to have much impact, as there really wasn’t much reporting or information shared that pilots ever really took off in any meaningful way. 

In terms of the suspension of certification, the revision states that participation in CMMC is now voluntary. In fact, complying with CMMC 1.0 had always been voluntary. Zero companies have ever been certified. 

It is our belief that the government is sending a message to say that companies wanting to do business with the DoD should focus on the foundational cybersecurity practices outlined in NIST 800-171. 

 

What it Means to Your Business

Many of the proposed changes appear to actually speed up the compliance requirements of cybersecurity, and appear to be favorable for those who are for national security and for defense contractors having mandatory, verifiable cybersecurity minimums. 

If you are a defense contractor, you should plan on meeting these cybersecurity minimums as laid out in NIST 800-171, including security incident and event management, vulnerability management, asset inventory, and more. The services and products that come together to get you to compliance have not changed.

 

Next Steps

If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

Watch a recording of our webinar about CMMC 2.0 and learn more about how it might impact your business.

CMMC 2.0 Watch Webinar Replay

CyberSheath Blog

CMMC 2.0: Understanding the Context and Impact

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.  …

CMMC 2.0: The Effect on Assessments

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update. Our next topic…

CMMC 2.0: POA&M Requirement Changes

In our series of blogs on the newly announced CMMC 2.0  topic, we started by discussing the context for the update and also wrote about the impact on assessments. Our next topic to discuss is the changes to a project management tool known as a plan of action and milestones (POA&M).…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft