Evolving Threats and Standards for Defense Contractors: An Introduction to CMMC 2.0

The Pentagon is encouraging defense contractors to adhere to the new cybersecurity practices illustrated by the National Institute of Standards and Technologies. According to a Defense Department official, about 40,000 companies will still require a third-party assessment under the revamped Cybersecurity Maturity Model Certification program, called CMMC 2.0.

CMMC 2.0 has an updated program structure to reflect the primary goals of the internal review: Safeguard sensitive information to enable and protect the warfighter while dynamically enhancing defense industry base (DIB) cybersecurity standards to meet evolving threats.

What is a cyber readiness program and why is it important?

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. With its streamlined requirements, CMMC 2.0:

  • Cuts red tape for small and medium sized businesses.
  • Sets priorities for protecting DoD information.
  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

What does the change from CMMC 1.0 to CMMC 2.0 mean for your organization?

cmmc 2.0

What is CMMC 2.0 and how does it differ from 1.0?

  • The mandatory requirements in NIST 800-171 have not changed. Companies handling Controlled Unclassified Information (CUI) will notice very little change with CMMC 2.0.
  • CMMC 2.0 is a leaner, more flexible version of CMMC 1.0.
  • CMMC 1.0 required contractors to implement 100% of their security practices before being assessed as compliant with a specific level. CMMC 2.0 provides defense contractors with more flexibility if they do not meet full compliance requirements at any level.

Who needs CMMC Certification?

  • CMMC is required of any individual in the DOD supply chain, including contractors and subcontractors who interact exclusively with the Department of Defense. According to the DOD, the CMMC requirements will affect over 300,000 organizations.

What are the 3 levels of CMMC 2.0?

  • The three increasingly progressive levels:
    • Level 1 / Foundational (same as previous Level 1)
      • Contractors not handling critical information related to national security require annual self-assessments.
    • Level 2 / Advanced (previous Level 3)
      • Contractors handling critical information related to national security will require third-party assessments (C3PAO).
    • Level 3 / Expert (previous Level 5)
      • Highest priority – Contractors affiliated with the most critical defense programs will require a government-led assessment.

MMC 2.0 Timeline – When will CMMC 2.0 be required?

  • A final ruling has not been made. A close approximation could be Q2 2023. However, the rule-making process can take 9-24 months. CMMC 2.0 will become a requirement once the rule making is complete. (i)
  • Companies planning for CMMC are already subject to FAR 52.204-21 and/or DFARS 252.204-7012 which form the basis for CMMC 2.0 Level 1 and 3.

How do small to midsize defense contractors (SMBs) navigate the complexity of the CMMC framework?

  • Companies can conduct a NIST 800-171 self-assessments and calculate their SPRS scores. By doing so, companies will be compliant with the interim DFARS ruling. These scores and assessments can provide an indication of CMMC preparedness.

What are the costs of compliance and third-party certification?

  • The DoD proclaims CMMC 2.0 will greatly reduce cost overall compared to CMMC 1.0 due to the removal of assessment requirements found in Level 1, 2, and 4. Companies not handling CUI will find further savings through the allowance of self-assessments. (ii)
  • Multiple factors play a role in determining costs:
    • Network complexity
    • Market forces
    • Gap analysis and remediation expenses
  • The DoD is developing new cost estimates associated with CMMC 2.0. (iii)

How can American Technology Services help with CMMC 2.0?

  • A successful CMMC readiness assessment begins with a comprehensive review of a company’s cybersecurity hygiene. Together, the ATS Compliance team in cooperation with clients can achieve preliminary audit success through several steps:
    1. A detailed review of all existing compliance frameworks
    2. Review of existing documentation and plans
    3. Conduct an interview for Domain level CMMC audit requirements
    4. Create a Gap analysis on deficiencies that assessors will find
    5. Create cost-effective remediation paths
    6. A summary report to wrap up all discoveries and suggestions

Related

American Technology Services Logo White Footer
HQ
2751 Prosperity Avenue
6th Floor
Fairfax, VA 22031
Map & Directions
Phone: 703-876-0300
NY
250 Broadway
Suite 610
New York, NY 10007
Map & Directions
Phone: 888-876-0302
Previous slide
Next slide
Contact Us
Linkedin Twitter Facebook Youtube

© 2024 American Technology Services, LLC. All Rights Reserved. Privacy Policy 

Scroll to Top
Skip to content