Recently, the Department of Defense decided that the original goals set for CMMC rollout were too difficult to reach in the time frames set. For small and medium-sized companies, the cost of getting certified was deemed too high, and making companies that don’t handle Controlled Unclassified Information go through an expensive certification process was ruled out. Because of this, the Department of Defense has revised the original CMMC plan to CMMC 2.0, which will align more closely with NIST regulations, and set more realistic goals for cybersecurity.
So, what can we expect from CMMC 2.0? To begin, CMMC 2.0 will align completely with NIST standards, as opposed to having separate standards and controls. CMMC 2.0 also has three levels of security, as opposed to the previous five. Level one will focus on foundational security and rely on an annual self-assessment. Level two focuses on more advanced security, with practices aligned with NIST SP 800-171. Level two will require triannual third-party assessments for critical national secure information and allow for select programs to have annual self-assessment. Level three will be an expert level of security and follow practices of NIST 800-172. This level will require triannual government-led assessments. The level of CMMC required will be based on the type of information involved in the Department of Defense contract, varying from non-critical to high-priority information pertaining to national security.
With the development of CMMC 2.0, companies will no longer be required to have a third-party certification to handle most CUI. Assessments will only be required for more secure CUI information, requiring either a third-party evaluation or a government-led evaluation three times a year. Based on what the Department of Defense has communicated, officials from any company claiming to meet CMMC requirement will have to digitally sign that their company is compliant with their stated CMMC level.
As of current news, for the next 9-24 months there will be no mandatory CMMC Certification for companies contracted by the DoD. In the future, CMMC will be voluntary as of recent comment. However, companies must meet set requirements by the Department of Defense, and waivers of said requirements are virtually impossible to obtain. The DoD plans to have CMMC 2.0 fully implemented within two years, as the requirement set by the newly restructured CMMC are based off of current cybersecurity regulations and requirements
#tech #CyberSecurity #startups #manufacturing #mergersandacquisitions #Florida #colorado #familyofficecybersecurity #cybersecurityawareness#itstrategy #cyberdefense #itsecurity #familyoffice #venturecapitalcybersecurity