Cybersecurity Maturity Model Certification (CMMC) Assistance and Training

Ensure that all cybersecurity controls and processes properly protect Controlled Unclassified Information (CUI)

Ensure that all cybersecurity controls and processes properly protect Controlled Unclassified Information (CUI)

Overview of the CMMC

Cybersecurity mandates have made their way through the defense industry, becoming more important as government-led efforts increase to protect the U.S. defense supply chain from outside cyber threats and lower risk levels throughout the larger defense sector.

The Cybersecurity Maturity Model Certification (CMMC) is the latest verification mechanism designed by the Department of Defense (DoD) and Office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)) to make sure that all cybersecurity controls and processes will properly protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) networks. CUI refers to any government created or owned information which would require safeguarding or dissemination controls according to any applicable laws, regulations, and government-ordained policies.

CMMC 2.0 Announced by the Department of defense

On November 4, 2021, the Department of Defense (DoD) released updates to the Cybersecurity Maturity Model Certification (“CMMC”) program, called “CMMC 2.0.” The DoD intends to engage in additional rulemaking to refine and finalize CMMC 2.0. Although the overall goal of the program remains focused on safeguarding sensitive unclassified information, CMMC 2.0 includes several important differences from the original program.

CMMC 1.0 vs CMMC 2.0

The DoD’s announcement indicates it plans to update the CMMC program to streamline the model, reduce assessment costs, and provide for more flexible implementation. Below are some key differences between CMMC 1.0 versus the proposed CMMC 2.0:

  • The total number of assessment levels has been reduced from 5 to 3;
  • A self-assessment is allowed at Level 1 and at Level 2 (if the contractor is not handling “critical national security information”);
  • CMMC 2.0 aligns with the required practices for cybersecurity standards issued by the National Institute of Standards and Technology (NIST);
  • The total number of required security practices is reduced;
  • Oversight of third-party assessors is increased;
  • CMMC 2.0 allows Plans of Action & Milestones (POA&Ms) and waivers to CMMC requirements under certain, limited circumstances; and
  • The timeline for compliance has changed (to be required when the rulemaking is complete, estimated to be in 9-24 months after November 2021).

CMMC 2.0 Implementation Timeline

The proposed changes still need to go through the rulemaking process, DoD anticipates this could take 9-24 months, and contractors will not be required to comply with CMMC 2.0 until the forthcoming rules go into effect.

This differs significantly from the prior timeline for CMMC 1.0, which included pilot programs and gradual implementation, culminating with the mandate for widespread inclusion of the CMMC requirements in all DoD solicitations by October 2025.

For CMMC 2.0, there currently is no mention of pilot programs, and DoD is suspending the current CMMC pilot program while the rulemaking process is ongoing.

It appears the timeline for implementation has been accelerated, as DOD stated CMMC 2.0 will become a contract requirement once the rulemaking is complete (in 9-24 months from November 2021). This likely means all contractors will need to prepare for CMMC compliance by November 2023, at the latest.

 

The Importance of CMMC 

The CMMC process verifies that all considered contractors will have adequate cybersecurity controls and policies in place to align with rigid defense requirements and security standards. CMMC enables organizations to:

  • Add value and cost-effectiveness to their integrated QMS approach
  • Optimize their Enterprise Risk Management
  • Provides a benchmark against which they can evaluate the organization’s current level of capability of its process, practices and methods and set goals and priorities for improvement

Your Trusted Partner

TÜV SÜD’s experienced ISMS teams possess the accreditation and expertise to advise on CMMC. Through our worldwide network of IT governance professionals, we can provide information on CMMC. Furthermore, TÜV SÜD’s experts actively participate in international standardization committees and we have a complete understanding of the latest PII regulatory developments around the world.

Contact Us to Learn More About CMMC

Next Steps

Site Selector