The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program. The program applies to those who serve as contractors and suppliers to the DOD. As described in our sister blog, the new version of the program – “CMMC 2.0” – has several important differences from the original program. CMMC 2.0 is anticipated to go into effect anywhere from nine to 24 months from now.

Key differences include:

  • Restructuring the program to allocate information systems into three levels (rather than five) depending on the type of information companies maintain within those systems. Depending on level, companies need to provide different levels of security for the information they handle.
  • Allowing Level 1 companies to self-assess (rather than having assessment and certification by a third-party). Also allowing self-assessment for certain acquisitions at Level 2.
  • Aligning the required practices with National Institute of Standards & Technology (NIST) cybersecurity standards.
  • Increasing oversight of third-party assessors.
  • Allowing companies who have not yet met compliance requirements to remediate under strict timelines. Also includes waivers in limited circumstances.

The new program aligns with current regulations regarding protection of Controlled Unclassified Information (CUI). These regulations already require NIST SP 800-171 as the minimum level of security for CUI. They also require a self-assessment or DOD assessment against the NIST SP 800-171 controls and an associated report to DOD.

Putting it into Practice: Companies who contract with the DOD (or are part of the DOD supply chain) will want to review their cybersecurity program and update their compliance plans to ensure that they are working towards the new streamlined CMMC 2.0.