January 25, 2022


By Andy S.

Two months ago, the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) 2.0 standards. The first version of CMMC had some issues that had put industry in a difficult position. Among them being the lack of flexibility around Plans of Action and Milestones (POA&Ms) and the need to be compliant with both CMMC and NIST Special Publication (SP) 800-171, which was very similar, but still had enough differences to cause concern. CMMC 2.0 served to clarify and simplify these long-standing industry questions but left some uncertainty around implementation timeframe.

Specifically, CMMC 2.0 made the following clarifications:

1) It simplified the different levels of CMMC compliance, reducing from five to three.

2) Removed the differences between CMMC Level 2 and NIST SP 800-171 compliance.

3) Delayed the required implementation date until the completion of both the title 32 CFR and title 48 CFR rulemaking processes.

4) Left open the possibility of self-certification for certain non-prioritized acquisitions.

5) Instituted a Plan of Actions and Milestones (POA&M) system with a time-bound waiver process.

While the first two points served to clarify security control requirements and clear up confusion around the DFARS NIST SP 800-171 compliance, the last three points have given industry the feeling that it has some breathing room and doesn’t need to move as quickly in securing IT environments. The urgency around getting industry to a more secure and CMMC-compliant state has abated somewhat, knowing that the rulemaking process can take two years or more.

The best strategy, of course, is moving ahead as quickly as possible with enterprise security. Good security should result in compliance, not the other way around. Protecting your competitive information and intellectual property, as well as the sensitive information of your clients, should be your foremost concern. Compliance will happen if protection is put in place now.

In addition, NIST SP 800-171 outlines compliance requirements for DFARS that have been required since November 2020. Now that CMMC Level 2 and NIST SP 800-171 are identical, getting to a high confidence level with NIST SP 800-171 will also ensure greater compliance with CMMC.

Finally, early certification also gets you in line for third-party certification as early as possible. There are only a few third-party assessors at this point, and their schedules are full. Getting in line early creates a competitive advantage when CMMC becomes an acquisition requirement. CMMC 2.0 opened the possibility of self-assessment for non-prioritized acquisitions, but the CMMC-AB has pushed back hard against that option. In an open letter to President Biden, the Secretary of Defense, and several influential congresspeople, the CMMC-AB argued strongly that self-certification does not work and removes incentives for contractors to bring their programs into compliance with CMMC. Even if self-certification becomes an option for certain acquisitions, any acquisition designated “priority” will require a third-party certification.

In summary – don’t wait. Move forward with a holistic strategy to secure your infrastructure and get compliant early.