Find Out—What Do These CMMC Updates Mean For Contractors?
The DoD has released updates to CMMC—find out what you need to know about compliance by reviewing the changes in this article, or get in touch with RetroFit Technologies directly for immediate consultation and support with your compliance initiatives.
DoD Issues CMMC 2.0
The Department of Defense has published Cybersecurity Maturity Model Certification (CMMC) 2.0, an updated program resulting from the completion of an internal program assessment led by senior leaders across the Department.
For the most part, this update clarifies the expectations of contractors like yourself, providing more insight into the ongoing process of public review. This means you do not necessarily have to rush to gain compliance right now—but don’t make the mistake of pushing off your DoD compliance efforts altogether.
How Is CMMC 2.0 Different From The Original Program?
The key points detailed in the DoD’s new CMMC program overview and implementation overview include:
- CMMC 2.0 must undergo public review and acceptance; until then, it is on hold, along with all CMMC initiatives
- The DoD is discontinuing pilot program initiatives and removing CMMC language from contracts until the Title 32 CR and Title 48 CFR rulemaking processes are complete, estimated to be 9-12 months from now
- The 20 CMMC level 3 controls that were previously added into DFARS and NIST 800-171 are being revoked
- Level 2 and Level 4 maturity categories are no longer in effect, leaving just levels 1-3 (where level 2 is replacing the previous level 3)
- You are allowed to self-assess for CMMC Level 1 audits
- CMMC Level 2 now includes two options:
- Non- Prioritized Acquisitions/Data: May be self-assessed
Prioritized Acquisitions/Data: Requires a third-party assessment specifically for those assets
- Non- Prioritized Acquisitions/Data: May be self-assessed
- POA&Ms will be allowed under specific circumstances, which will be detailed by the DoD at a later date. You will have to meet a minimum score to qualify.
- The DoD may issue waivers to exempt contractors from CMMC requirements due to mission-critical components
- The DoD may offer incentives (financial or otherwise) for contractors that voluntarily meet CMMC certification
What Does This CMMC Update Mean For You?
At a high level, this update means you have more time to consider your CMMC strategy. The details of many key points are still being worked out, which means you don’t need to rush to implement any new controls.
In the meantime, you need to maintain your DFARS and NIST compliance processes. And of course, you will need to keep CMMC on your radar. Within 9-12 months, the public review should be complete and CMMC language will begin entering DoD contracts.
Need Expert Assistance Maintaining Compliance?
Even though you don’t have to worry about CMMC right now, you still have to manage your DFARS and NIST compliance in order to keep winning contracts. And you’ll likely need to launch a CMMC initiative within a year regardless.
RetroFit Technologies will help—we have extensive experience helping contractors maintain compliance with complex systems like DFARS and NIST. We will do the same for you.
Get in touch with our team to get started.