Upcoming Changes to CMMC

The latest update of the Cybersecurity Maturity Model Certification as '2.0.' was announced November 17th, 2021. The upcoming changes will be officially released in approximately nine to twenty-four months. Prepare now to allow your organization to effectively retain its client base.

Your organization is eligible for CMMC if it manages government contracts, as there will be policies and procedures including controlled unclassified information (CUI). Little tiny bits of inconsequential unclassified information, possibly worthless by themselves, can be CUI. Conclusively, CUI tries to guard against classification by compilation. From a civilian standpoint, this information would be considered “internal use only” orUntitled design (2)-1 information you do not want public.

CMMC Evolution

A program for the Department of Defense (DoD): the Capability Maturity Model Integration (CMMI), introduced 20+ years ago, was a methodology of assessing if an organization had a 'mature,' disciplined cybersecurity system. It included five levels of maturity, which evolved into a certification effort called CMMC 1.0.

The idea of CMMC 1.0 was to have independent proof that the thousands of Defense Industrial Base (DIB) contractors were using practices of the non-federal protective systems of NIST 800-171 and NIST 800-172. With the difficulty of proofs (dependent on the level of data) a cybersecurity industry of Certified 3rd Party Assessment Organizations (C3PAOs) developed. While CMMC 1.0 was a great idea, it generated a lot of concern from several sources, mostly on the bureaucratic structures required.

Upcoming Changes

The following CMMC requirements (2.0) are stated in the Federal Register. The new criteria "…will suspend CMMC Piloting efforts [and] will not approve inclusion of a CMMC requirement in DoD solicitations…". Additionally, CMMC 2.0 will shift to three levels of certification with level two being the average. This allows for some company leadership attestation of compliance for lower levels vs. third-party contractor or government attestation and brings in POAMs (Plan of Action and Milestones) in some cases if a company cannot immediately meet certification requirements.

Be Initiative-taking

From an efficiency standpoint, we strongly recommend organizations begin implementing the NFO Controls (building out policies and procedures) to reduce the impact of technical controls on the organization’s culture and operations.

To bid on a Department of Defense (DoD) contract, and the like, knowledge of this update should be of immense value to your company, as the need to adapt to changes is expected. Choose to protect your business now, and do not wait for the official publication of CMMC 2.0.

Back to Blog