Why should you pay attention to CMMC 2.0?

How time flies, even in the middle of, and hopefully now, the end of a pandemic!

Well, 15 months has already passed since I published my last article on CMMC titled CMMC As A Process (CAAP) that was based on CMMC 1.02 as the time, available here.

A lot has transpired since I published that article, that may or may not have come as a surprise to CMMC stakeholders like me, including the release of CMMC 2.0 in December 2021 that caught many of us by surprise.

For a quick crash course on CMMC 2.0, please feel free to listen to the Webinar: Making CMMC 2.0 Affordable for SMBs that I presented back in January, 2022 with my friends and strategic partners, Sanjeev Verma, CEO at PreVeil and Kevin Dodson, COO at eFortresses.

What changed from CMMC Version 1.02 to 2.0?

The release of CMMC 1.0.2 in March 2020 caught the attention of DoD prime and sub-contractors, due to:

  • DoD and its supply chain facing increasing cyber threats from state actors, hacktivists, and criminals, resulting in a shift from requiring annual self-assessment based attestations through the DoD’s SPRS portal to third party assessments and independent certification to comply with the DFARS 252.204.7012.
  • DoD’s initial plans to require 100% compliance for Maturity Levels 1-5, with no wiggle room for a Plan of Actions & Milestones (POA&M), giving time to entities in its supply chain to remediate identified gaps.

The release of CMMC 2.0 in December 2021 brought some relief to most of the SMBs, that make up an estimated 90% of the DoD supply chain, that is estimated to total somewhere between 300,000 and 350,000 entities globally.

How can CMMC 2.0 benefit SMBs?

Generally speaking, CMMC 2.0 is good news for Small And Midsize Business (SMB) that I often work with, typically those SMSs with 5 to 500 employees. This is because Level 1 now requires only annual self-assessment, instead of third-party assessment, against 17 practices, thereby making this journey a little less daunting.

CMMC 2.0 has Maturity Levels 1-3 as opposed to Maturity Levels 1-5 in CMMC 1.0.2, thereby streamlining the process for SMBs pursuing CMMC Maturity Level 1 compliance or CMMC Maturity Level 1-2 certification.

As you are probably aware, the rulemaking process for DFARS 252.204-7021 mandating CMMC 2.0, will be completed in the next 9 months. I’m predicting that by this time next year, there will be a mad rush by companies in the Defense Industrial Base (DIB) to achieve CMMC 2.0 Level 1 compliance or Level 2 Certification, either for the Fear of Missing Out (FOMO) on lucrative DoD contracts and Risk of Jail Time (ROJT), or for falsifying CMMC compliance in the SPRS portal (if caught) under enforcement of the False Claims Act (FCA).

According to the DoD, CMMC 2.0 will become a contract requirement once rulemaking is completed. The publication of materials relating to CMMC 2.0 reflects the DoD’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the DoD completes rulemaking to implement the program.

The recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require entities that are part of any of the 16 critical infrastructure sectors, which could include DoD prime and sub-contractors, to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively. Significantly, the new reporting requirements may apply even if the cybersecurity incident does not involve the unauthorized access or acquisition of personal information. This Act is also undergoing rulemaking and in the face of growing threats from US adversaries, likely to be completed next year. This creates a perfect storm (compliance wise) for DoD prime and sub-contractors!

Since CMMC 2.0 was launched 6 months ago, I’m seeing an exponential spike in the number of LinkedIn users, globally, requesting to join my CMMC focused LinkedIn group: Cybersecurity Frameworks and Maturity Models. If this is not an early indication of the impending perfect storm, I don’t know how else to explain this spike.

To avoid getting caught up in this impending perfect storm, it would behoove any entity intending to remain in the DoD’s supply chain, that is a big chunk of its ever growing budget (a massive $773 billion budget requested for Fiscal Year 2023), to commence their 6 to 12 month CMMC 2.0 and CIRCIA compliance journey now!

In practical terms, for as little as $2,500 annual subscription (reduced to $2,250 for NDIA members), I have been able to assist my vCISO SMB clients to start their CMMC 2.0 and CIRCIA compliance journey, by offering them the following, through eFortresses – a CMMCAB Registered Provider Organization (RPO):

CMMCSCORECARD 1-Year Software-as-a-Service Subscription License

  • Multi Users Access.
  • 4 Assessments for Quarterly NIST SP 800-171 and CMMC 2.0 Level 1 to 3 Self-Assessments.
  • Independent Rating, Breach Probability, Compliance, Maturity, Trending and Benchmarking Reports.
  • Downloadable and customizable cybersecurity gap remediation templates, including System Security Plan (SSP), Plan of Actions & Milestones (POA&M), Policies, Procedures, Standards, Spreadsheets with high quality control mappings, etc.
  • Access to Cloud Security Ratings Database and Security Breaches Matrices research spanning 2005 to 2021.
  • Advisory Hours for Validation of Controls Evidence and SPRS coaching.
  • Access to Online Certified CMMC Professional (CP) Course Content.

It is worth noting that as vCISO, in addition to CMMC, I also use this SaaS platform to deliver assessment and remediation services to SMB clients that are seeking independent assessments and when relevant, certification readiness to the major Cybersecurity standards and frameworks including but not limited to ISO 27000 series, SOC2, PCI-DSS, NIST CSF, NIST SP 800-171, NIST SP 800-53, FedRAMP, CMMI, HIPAA, MARS-E, and CSA to name a few.

If you need a partner in your CMMC Journey, schedule your FREE 30-minute advisory call with me here.

Otherwise, have fun on your journey towards CMMC 2.0 compliance and fast approaching certification!