As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part four of a four-part series (you can read Part 1 here, Part 2 here, and Part 3 here.

In November 2021, the Department of Defense (DOD) announced an updated version of its cybersecurity certification program – CMMC 2.0 – which includes several changes as compared to the original CMMC program. CMMC 2.0 takes a risk based approach to protecting sensitive defense information in company systems through rigorous security requirements and third party certifications or company self-attestations. We discussed the specific revisions and related implementation timeline here and here.

Putting it into Practice – What to expect in 2022: We expect the formal rulemaking process (including opportunity to comment) for CMMC 2.0 to begin sometime in 2022 (although CMMC generally has been plagued by delays). Once it begins, DOD estimates the rulemaking process will take anywhere from 9-24 months. In the meantime, companies that work in the DOD space should be following closely all proposed cybersecurity developments and prepare for the implementation of CMMC 2.0 by continuing to monitor and enhance their cybersecurity posture.

Putting it ALL into Practice: As we close out our four-part series, we leave you with this – in case it is not yet obvious, cybersecurity continues to be a primary focus of this administration, federal legislators, and government agencies.  Accordingly, in addition to the specific initiatives outlined in this four-part series, we expect new developments will continue apace in the new year so companies should stay vigilant and agile when it comes to cybersecurity.