CMMC 2.0: Key Updates

There have been several noteworthy updates surrounding the CMMC (Cybersecurity Maturity Model Certification) program since version two — CMMC 2.0 — was released toward the end of 2021.  

Below we’ll cover the key changes you need to know if your business processes CUI (controlled unclassified information) or FCI (federal contracting information) including the: 

  • New title of the CMMC accreditation body (CMMC AB)   
  • Projected timeline for program launch  
  • Voluntary CMMC assessments status  
  • Introduction of a new federal cybersecurity framework  

The CMMC AB Becomes the Cyber AB  

In early June, the CMMC AB officially changed its name to the Cyber AB. According to Cyber AB Director and CEO Matthew Travis, the new moniker was introduced to simplify the AB’s previously lengthy name as well as set the organization up for future growth into other industries.   

“I’ve had discussions with representatives of other departments of other sectors of critical infrastructure, and even other countries who are interested in the value that the CMMC model brings,” said Travis.  

Since elevated cyber threats have become the new normal, Travis says he believes passing a rigorous CMMC assessment is an effective way to “buy down risk.” The collective cybersecurity experience held by the professionals that make up the CMMC ecosystem could certainly prove beneficial in assessing risk across industries.  

No matter the future of the CMMC program, it’s important to note the Cyber AB’s primary mission remains the same as it was under its previous name: to authorize and accredit CMMC C3PAOs (Third-Party Assessment Organizations) that conduct CMMC assessments of companies within the DIB (Defense Industrial Base).  

The DFARS Interim Rule and CMMC 2.0 Timeline Update   

After the DoD (Department of Defense) released CMMC 1.0 at the beginning of 2020, the federal branch proceeded to publish the DFARS Interim Rule in September of the same year. The rule is essentially a stopgap measure intended to pave the way for CMMC and inform DoD contractors they must report compliance with NIST 800-171.  

The DoD then used the public feedback they received on the Interim Rule to restructure the program into CMMC 2.0 in November 2021. When asked about the timeline for CMMC 2.0 rollout, the DoD has frequently said the rulemaking process could take anywhere from 9-24 months, leaving many contractors wondering when requirements will be added to contracts. 

However, CMMC Director and DoD Deputy Chief Information Officer for Cybersecurity Stacy Bostjanick recently provided some clarity around the interim final rule and the CMMC 2.0 timeline. She noted the following:  

  • The current plan is for the DFARS Interim Final Rule update to be released in March 2023 and go into effect after a 60-day comment period.  
  • This means CMMC 2.0 requirements could begin appearing in DoD solicitations as early as May 2023.  
  • However, if the Office of Management and Budget (OMB) does not approve the interim rule, these dates will be pushed out by one year and requirements will be present in contracts starting May 2024.  

Once CMMC 2.0 is officially implemented, not all contractors will be required to immediately obtain certification to handle CUI. The DoD is going to perform a phased rollout. When CMMC first begins appearing in solicitations, all contractors will have to conduct a self-assessment and provide a positive affirmation of compliance.  

During the next phase, solicitations will require either a self-assessment or third-party certification depending on the type of information involved and the associated certification level. While the timing of these phases is to be determined, contractors should not delay in preparing their information systems for CMMC assessment.  

CMMC 2.0 Voluntary Assessments  

To help incentivize proactiveness in preparing for CMMC 2.0, there will also be a voluntary interim program in which contractors can earn a certification that will be honored when CMMC rulemaking goes into effect. 

The voluntary assessment program, which may start as soon as August of this year, will allow companies to contract with an authorized C3PAO with oversight from the DIB Cybersecurity Assessment Center (DIBCAC). Companies that pass a Level 2 assessment — the level most contractors must meet for certification — will receive credit for a high-assurance DIBCAC assessment.  

Once CMMC 2.0 becomes an official requirement in 2023 or 2024, the DoD intends to allow these certifications to remain in good stead for an additional three years beyond that date.  

A New Cyber Secure DIB framework 

Another relevant update that won’t necessarily impact the CMMC certification program but is worth keeping an eye on: Pentagon Cyber Chief David McKeown says there are active discussions around creating a “cyber secure” framework for the DIB.  

“As we go forward, we are partnering with the DIB sector coordinating [council] and CISA and trying to work on how we develop a cyber secure DIB framework. We think it will be based on [the] NIST cybersecurity framework,” said McKeown.  

Inspired largely by the state of global warfare, the proposed framework would help protect not only sensitive data but also the entire supply chain to minimize widespread damage from a cybersecurity incident.  

Start Getting Ready for CMMC Today   

Have additional questions about CMMC 2.0 and how to best prepare for implementation? A-LIGN can help. As one of the first candidate C3PAOs and a top assessor of federal compliance, our firm can perform a CMMC Readiness Assessment by evaluating your organization’s security policies, procedures, and processes against the controls published in NIST 800-171.    

Contact a CMMC expert at A-LIGN today.