CMMC 2.0: Codifying the Proposed Revision

By Eric Noonan • December 29, 2021

Since the revision of the CMMC cybersecurity requirement was announced last month, we have been analyzing and reporting on some of the changes in a series of blogs. So far we’ve covered a range of topics, including the context for the update, the impact on assessments, and changes to plans of action and milestones (POA&M). This blog will address what we currently know about how the DoD will address the rulemaking of this revision. 

 

Timeline of Rulemaking Process

Much has been made of this change to the codifying of CMMC 2.0. The government has said that it will take nine to 24 months to review and complete the rulemaking requirements. Also, it is important to keep in mind that what has been presented and proposed could change. As the process unfolds, public comments will be solicited, which the government will then ingest, possibly resulting in changes to the proposed revision. 

  • If this process takes just nine months to complete, CMMC will arrive three years earlier than what had been planned with CMMC 1.0, which was scheduled to be effective in 2025.
  • If it takes two years and becomes effective in 2023, it will still be here two years earlier than with the previous version.

It appears that people are misreading this severely. When in fact, the DoD has actually taken time off the clock and expedited the need to be compliant. 

 

Suspension of Pilots and Certification is a Non-issue

Another change is that CMMC pilots and certification have been suspended. Which on the surface can seem sensational, but in reality it doesn’t appear to have much impact, as there really wasn’t much reporting or information shared that pilots ever really took off in any meaningful way. 

In terms of the suspension of certification, the revision states that participation in CMMC is now voluntary. In fact, complying with CMMC 1.0 had always been voluntary. Zero companies have ever been certified. 

It is our belief that the government is sending a message to say that companies wanting to do business with the DoD should focus on the foundational cybersecurity practices outlined in NIST 800-171. 

 

What it Means to Your Business

Many of the proposed changes appear to actually speed up the compliance requirements of cybersecurity, and appear to be favorable for those who are for national security and for defense contractors having mandatory, verifiable cybersecurity minimums. 

If you are a defense contractor, you should plan on meeting these cybersecurity minimums as laid out in NIST 800-171, including security incident and event management, vulnerability management, asset inventory, and more. The services and products that come together to get you to compliance have not changed.

 

Next Steps

If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

Watch a recording of our webinar about CMMC 2.0 and learn more about how it might impact your business.

CMMC 2.0 Watch Webinar Replay

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.