If your organization has been preparing for CMMC certification, the news that the Department of Defense has issued CMMC 2.0 and cast aside the CMMC 1.0 model (and timelines) may have been greeted with a mix of dismay and relief. The dismay is due to all the effort already put into meeting CMMC requirements. The feeling of relief may be along the lines of “Thank goodness we don’t have that to worry about any longer.” I have separate responses to each of these sentiments.
Concerning the dismay about having wasted so much time preparing for a certification that’s been jettisoned, I’m here to tell you that the hard work you’ve already done is anything but a waste. If you’ve implemented controls, where none existed before, to meet particular CMMC requirements, you’ve strengthened your organization’s information security posture in very tangible ways. Right there, you’ve provided value to your organization. Just identify the metrics and build the dashboard to prove this point.
Now, let’s address that mischievous thought that you don’t have to worry about CMMC any longer. Of course, that’s not true either. But, there will be those voices that argue that the projects intended to address CMMC requirements should be less of a priority, as they’re nice to have but no longer urgent. Here is where you should reframe the discussion from a compliance-based perspective to a risk-based perspective, simply by pointing directly to the risks that these CMMC-based initiatives are designed to address. Take compliance out of the discussion for the moment to talk about the risks that will go unaddressed if we decide to take our foot off the gas.
While compliance requirements have always been a useful cudgel for the information security leader to persuade the intransigent to behave securely, the most robust cybersecurity programs are those that take a risk-based approach. So, keep advocating for the further development of your organization’s cyber defenses, because it’s the right thing to do right now. Then, further down the road, you’ll be in a better position to achieve CMMC 2.0 certification than if you treated this announcement as a reprieve.
CMMC 2.0 is not a reprieve nor an admission of defeat. It’s a tactical retreat. The objective is still the same, but CMMC 1.0 was unwieldy, collapsing under the weight of its complexity. The streamlined approach that CMMC 2.0 takes will be a more straightforward program for the CMMC Accreditation Body to oversee.
What’s new with CMMC 2.0?
As a streamlined version of its predecessor, CMMC 2.0 should be welcome news to all entities subject to it. Gone are the 5 maturity levels where levels 4 and 5 were poorly understood future states of cyber readiness. In CMMC 2.0 there are now only three levels that draw requirements directly from basic safeguarding requirements for Federal Contract Information (FCI), NIST SP 800-171, and the newly released NIST SP 800-172. CMMC 2.0 eliminated CMMC's unique practices. So, there are fewer requirements in total.
The other big change is that organizations that do not handle sensitive national security information will be permitted to conduct self-assessments (Level 1 and a subset of Level 2 requirements). Most organizations that handle CUI will still be required at minimum to certify to Level 2 (Advanced). Level 2 certification will be measured against the full set of NIST SP 800-171 requirements, and this assessment will be conducted by certified third party assessors. The greatest level of maturity in this new model is Level 3 (Expert). Level 3 certification will be required of organizations that handle CUI associated with a critical program or high-value asset. Level 3 certification will be measured against the enhanced security requirements contained in NIST 800-172. However, unlike CMMC 1.0 which left all certification assessments in the hands of certified third parties, CMMC 2.0 Level 3 assessments will be government-led.
Figure 1-Breakdown of CMMC 2.0 as provided by the US Department of Defense
When will CMMC 2.0 become a requirement?
CMMC 2.0 will not be a contractual requirement until the DoD completes the rulemaking that will govern the implementation of the program. Typically, the rulemaking timeline ranges between nine months and two years. Once rulemaking is completed, CMMC 2.0 will become a contractual requirement.
How are we supposed to prepare to comply with a maturity model, when the rulemaking hasn’t been completed?
The simple answer to that is to align your organization’s practices to NIST 800-171 and 800-172 requirements. Conduct regular reviews of your practices against applicable requirements, identify deficiencies and track remediation of those deficiencies.
I hope this article was somewhat reassuring, but I’ll conclude with this exhortation to keep up the momentum in building your cybersecurity program. By laying the groundwork now, your organization will be well-positioned to gracefully manage the CMMC assessment when the time comes. Conversely, delaying action until the rulemaking process is finalized, can result in a mad scramble to get all controls in place in time for the assessment, and generally, auditors do not look kindly on organizations that appear disorganized and reactive. Keep in mind, when CMMC does go into full effect, organizations that achieve certification early on will have a powerful differentiator against their competition, and the competitive advantage that being early to market offers can set an organization up for long-term success.
Wherever you are in the development of your CMMC certification program, LRQA can discuss your unique set of challenges and help plot a path forward.