CMMC 2.0: Codifying the Proposed Revision

By Eric Noonan • December 29, 2021

Since the revision of the CMMC cybersecurity requirement was announced last month, we have been analyzing and reporting on some of the changes in a series of blogs. So far we’ve covered a range of topics, including the context for the update, the impact on assessments, and changes to plans of action and milestones (POA&M). This blog will address what we currently know about how the DoD will address the rulemaking of this revision. 

 

Timeline of Rulemaking Process

Much has been made of this change to the codifying of CMMC 2.0. The government has said that it will take nine to 24 months to review and complete the rulemaking requirements. Also, it is important to keep in mind that what has been presented and proposed could change. As the process unfolds, public comments will be solicited, which the government will then ingest, possibly resulting in changes to the proposed revision. 

  • If this process takes just nine months to complete, CMMC will arrive three years earlier than what had been planned with CMMC 1.0, which was scheduled to be effective in 2025.
  • If it takes two years and becomes effective in 2023, it will still be here two years earlier than with the previous version.

It appears that people are misreading this severely. When in fact, the DoD has actually taken time off the clock and expedited the need to be compliant. 

 

Suspension of Pilots and Certification is a Non-issue

Another change is that CMMC pilots and certification have been suspended. Which on the surface can seem sensational, but in reality it doesn’t appear to have much impact, as there really wasn’t much reporting or information shared that pilots ever really took off in any meaningful way. 

In terms of the suspension of certification, the revision states that participation in CMMC is now voluntary. In fact, complying with CMMC 1.0 had always been voluntary. Zero companies have ever been certified. 

It is our belief that the government is sending a message to say that companies wanting to do business with the DoD should focus on the foundational cybersecurity practices outlined in NIST 800-171. 

 

What it Means to Your Business

Many of the proposed changes appear to actually speed up the compliance requirements of cybersecurity, and appear to be favorable for those who are for national security and for defense contractors having mandatory, verifiable cybersecurity minimums. 

If you are a defense contractor, you should plan on meeting these cybersecurity minimums as laid out in NIST 800-171, including security incident and event management, vulnerability management, asset inventory, and more. The services and products that come together to get you to compliance have not changed.

 

Next Steps

If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

Watch a recording of our webinar about CMMC 2.0 and learn more about how it might impact your business.

CMMC 2.0 Watch Webinar Replay

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO