As the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program inches closer to “going live” and appearing in contracts, questions and concerns linger across the Defense Industrial Base (DIB).

Fear not, Kyber Security is here to ease stress and provide clarity on a wide range of CMMC 2.0 questions. Before we delve in to your pressing questions, here are some other CMMC resources to guide you.

What are the Top Questions Regarding CMMC 2.0 Compliance?

Does My Business Need to be CMMC Certified?

Any organization who does business with the Department of Defense (DoD) is required to be certified, even including subcontractors.

Why Was CMMC 2.0 Released?

CMMC 2.0 was released in November of 2021 in an effort to streamline the CMMC process. The original CMMC program raised significant concerns in the industry regarding the costs and burdens of meeting stringent cybersecurity requirements. Requiring third-party assessments for all contracts at every compliance level was also a major concern. This made it difficult for small- to medium-sized businesses (SMBs) to acquire DoD contracts.

The primary reasoning behind the certification is to protect federal contract information (FCI) and controlled unclassified information (CUI).

After months of internal review of CMMC 1.0’s implementation and gathering feedback from industry, Congress, and other stakeholders, the DoD decided to make substantial changes to the program’s strategic direction. The changes aim to reduce costs, clarify and align cybersecurity requirements with widely accepted standards, and increase trust and confidence in the framework.

What are the Key Differences Between CMMC 2.0 and 1.0?

Remember, CMMC 2.0 is an effort to streamline the original assessment framework, lower costs, and simplify its implementation. The following are the key changes in CMMC 2.0:

  • Reduced certification levels from five to three
  • Removed maturity processes and CMMC-unique practices
  • Aligned advanced/Level 2 requirements with National Institute of Standards and Technology Special Publication (NIST SP) 800-171 controls
  • Based expert/Level 3 requirements on a subset of NIST SP 800-172
  • Allowed the use of time-limited plans of action and milestones (POAMs) and waivers

These major updates to the CMMC program have been detailed in this article. We will explain how these modifications will affect DoD contractors.

Can My Organization Do a Self-Assessment for CMMC?

Level 1 is achievable through an annual self-assessment since it only deals with FCI. All contractors achieving Level 2 that are a non-prioritized program are also permitted to do an annual self assessment. Aside from these select programs, all other contractors achieving Level 2 require a triennial third-party assessment from a C3PAO since Level 2 involves the protection of CUI. All contractors achieving the highest level, Level 3, will be required to undergo a triennial government-led assessment.

Will Prime Contractors and Subcontractors be Required to Maintain the Same CMMC Level? 

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

What are the Consequences of Non-Compliance with CMMC 2.0?

If a business fails to achieve CMMC certification, it will not be permitted to bid on defense contracts. Failing to maintain a certification can also result in the loss of government contracts, breach of contract lawsuits, potential violations of the federal False Claims Act, and banishment from future contracts.

How Often Will I Need to be Re-Assessed?

Once CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.

Working Towards CMMC 2.0 Compliance

If your organization needs to be CMMC compliant to retain current DoD contracts and continue bidding for future contracts, you will greatly benefit from working with an experienced managed IT and security services provider like Kyber Security.

We’re currently offering a CMMC gap review, during which we will review all of the CMMC 2.0 controls with you to identify weak spots in your company’s IT and security posture so you can start to plan your journey to compliance.

This will result in actionable information your organization can use to start on the road to compliance.  This offer is limited to the first 50 respondents, so act today to secure your review with this special offer.