The Home of the Security Bloggers Network
Home » Security Boulevard (Original) » Debunking Myths About CMMC 2.0
The cybersecurity world remains dynamic. On November 4, 2021, the Department of Defense (DoD) posted an update to its Cybersecurity Maturity Model Certification (CMMC) initiative, announcing program changes dubbed CMMC 2.0. These changes were driven by a tremendous amount of industry input; taken into consideration during the DoD’s review of the program over the past six months. The announced changes will impact the actions of DoD contractors as well as the service provider and vendor ecosystem that supports the defense industrial base (DIB). 
To help government contractors better navigate the changes, I’d like to offer a few words of caution regarding some myths circulating about CMMC 2.0. Since we’re talking about the security of our nation, it’s important that everyone dig deeper than the headlines and ensure we are doing the best we can to build a resilient, well-defended DIB. Our nation is counting on us.   
Myth One: CMMC is “on hold”.  The DoD has stated their intent to move quickly now that their internal review is completed. The CMMC Accreditation Body (AB) and the DoD are both moving forward. Given that CMMC 2.0 now aligns exactly with current federal acquisition regulations (FAR) and defense federal acquisition regulation supplement (DFARS) requirements (in effect since 2017), they are not likely to allow a significant grace period for companies to come into compliance.
Myth Two: The rulemaking process is likely to slow things down. While it’s true that the rulemaking process can be excruciatingly slow, the DoD’s intent with CMMC 2.0 is to make the program easier and faster to implement. We may actually see CMMC getting into contracts faster than the original 2025 planned rollout date.
Myth Three: CMMC has become easier. Level 1 is essentially unchanged; Level 2 has become marginally easier and Level 3 is still to be determined, but likely a bit easier due to the elimination of the maturity processes. However, CMMC 2.0 can evolve and change faster than CMMC 1.0. We should expect the bar to rise as the threats we face adapt to our new security posture.
Myth Four: CMMC will now cost less. Some aspects of CMMC will cost less, while others will not.  
Myth Five: DIB companies can wait for the rulemaking to be finalized before making cybersecurity decisions.
Myth Six: The expanded use of self-assessment under CMMC 2.0 means “do it yourself” is more feasible.
In closing, although the complexities associated with an effective cybersecurity program have not changed significantly, CMMC 2.0 has basically unblocked compliance by making it even more affordable and achievable. Most in the DIB have self-attested they are compliant with NIST SP 800-171 since 2017. CMMC 2.0 builds on this requirement with increased scrutiny, enforcement and the selective addition of controls where needed. With CMMC 2.0 rulemaking expected to take nine to 24 months, contractors should use the time prior to the CMMC rollout wisely to ensure they are fully compliant with current requirements and are ready to demonstrate this to a C3PAO or government auditor if they have CUI.
Ed Bassett is Chief Security Information Office for NeoSystems, a leading full-service strategic outsourcing and managed services provider. Ed has more than three decades of experience in security and privacy program architecture, design, management, and operations. He has been a principal advisor to many Fortune 500 and government clients on information systems security, responsible for securing their critical information assets for e-commerce transactions, sensitive health records, and classified military communications. Ed is a U.S. Army veteran and a graduate of Clarkson University where he earned a bachelor’s degree in computer science.
ed-bassett has 2 posts and counting.See all posts by ed-bassett

More Webinars
Security Boulevard Logo White
DMCA

source