On November 17, 2021, the Department of Defense published an advanced notice for changes to be made to CMMC 1.0, rolling out the new title, “CMMC 2.0”.  Changing the trusted policies of CMMC 1.0 can bring risk to your business.  Will CMMC 2.0 kill your business?  Keep reading to find out how your business can stay ahead of the game.

What is CMMC 2.0?

CMMC 1.0 was originally implemented by the Department of Defense (DoD) to set regulations regarding cybersecurity for the companies holding DoD contracts.  CMMC 2.0 was created by the Biden Administration to replace the original CMMC regulations.  Rolling out in 2023, you can expect CMMC 2.0 to bring:

  • 3 levels of compliance instead of 5
  • Elimination of all maturity processes
  • Use of self-assessments
  • Self-Assessments validated tri-annually for Levels 2 and 3
  • Simplified CMMC standards

Who is Affected by CMMC 2.0?

The new CMMC 2.0 policy directly impacts businesses working in the Department of Defense supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of their awarded contracts.  These businesses include:

  • DoD prime contractors
  • DoD subcontractors
  • Foreign suppliers
  • DoD small business suppliers
  • Commercial suppliers that process or store CUI

How CMMC 2.0 Could Kill Your Business

New policies and procedures mean new risks associated with your business.  Will CMMC 2.0 kill your business?  Watch out for these four (4) risks associated with CMMC 2.0:

Self-Assessments Do Not Work if Not Taken Seriously

Self-assessments are only as successful as your organization makes them out to be.  They will require proper training to ensure the right procedures are followed.  Imagine if other organizations like OSHA or the IRS used self-assessments, the systems would not work.  Having self-assessments at this scale brings with it the task of training employees at multiple levels in order to comply with CMMC 2.0 policy. Self-assessments end up being time consuming, as your employees could instead be focusing on tasks that build your productivity.

  • For Level 1 companies, a tri-annual CMMC 3rd-Party Assessor Organization (C3PAO) assessment has been replaced by a self-assessment. This self-assessment is done three times as often.
  • For Level 2 companies, the elimination of CMMC’s Delta 20 practices and the maturity processes reduces the number of items that must be assessed. This is an annual requirement rather than a tri-annual requirement.  Every 3 years you will be required to validate the data in your self-assessment with risk of losing your compliance status if you are not doing what you said you were to comply.

Risk of Less Compliance

When you rely on employees to conduct self-assessments, you risk employees not complying with policies.  Self-assessments can create the wrong kind of incentive for employees, for example, an employee might not report a cybersecurity breach because it could lead to an investigation. Misreporting data would violate The False Claims Act and cause costly litigation to your organization. Contractors face incentives that push them to comply with the bare minimum requirements of CMMC 2.0 in order to try to save money.  CMMC 2.0 allows for less compliance due to a change of incentives.

CMMC 2.0 Will Not Scale

The new policies of CMMC 2.0 are essentially giving defense contractors more time to do less about their cybersecurity.  During a time of heightened threats, relaxing assessment policies will have a double edged sword.

The Department of Defense claims the policies of CMMC 2.0 will be less costly for businesses since assessments will no longer require a third party, but businesses will still see costs in upkeeping cybersecurity.  Many CMMC Registered Provider Organizations do not like the idea of self-assessments and think CMMC 2.0 will not scale.

Long Switch to CMMC 2.0

It’s going to take up to 2 years to switch from CMMC to CMMC 2.0.  Starting late on the process could jeopardize your business.  You should aim to familiarize your organization with the policy early on to show your commitment to cybersecurity.

Companies that fail to comply early on will take on more risk and lose the advantage of educating their customers early on.  Being upfront and clear with your customers and employees about the long-term switch to CMMC 2.0 will establish trust and perception that you are an expert in cybersecurity.  Not addressing the new policies could kill your relationship with customers.

Stay Secure with Kyber Security

As the cyber threat landscape constantly evolves, your security measures should be one step ahead.  Kyber Security has dedicated professionals experienced in protecting your organization from ever increasing cyber threats.  We will work tirelessly to keep your company protected from cyber-attacks.

Are you ready to put security first? Sign up to get started.