What was CMMC 1.0?
The Cybersecurity Maturity Model Certification program was developed in September 2020 with the intent to establish a cybersecurity framework for companies within the Defense Industrial Base (DIB), which are often targeted with sophisticated cyberattacks. The five-tiered program was designed to be implemented as a requirement through contract awards. Ascending to higher tiers required third-party assessments to verify increased cybersecurity standards. The tiered model allows contractors access to different unclassified information based on the type and sensitivity of the information.
What is CMMC 2.0?
After an extensive public comment period during which the Department of Defense received over 850 comments, CMMC 2.0 was announced. This revamped version of CMMC streamlines the original tiered model from five tiers to three, lowering the costs to DIB companies by reducing the required third-party and DoD assessments and by introducing annual self-assessments for tier one and tier two (for select unannounced programs). This was done specifically to increase small business accessibility to the program. The level assessment requirements are as follows:
Level 1 - Annual Self-Assessment
Level 2 - Third Party Assessments for critical national security information
Level 3 - Government-led Assessments
The updated program also allows for waivers to CMMC requirements under limited circumstances. Compliance requirements will not go into effect until the Department of Defense solidifies the new rules. This is estimated to take 9-24 months as another 60-day public comment period is also required. Once the rules are solidified the DoD will begin adding CMMC 2.0 as a contract requirement and will be required on all contracts by 2026.
Potential Issues With CMMC 2.0
CMMC 2.0 is a step in the right direction for small businesses but does pose some potential problems. The assessments have been reduced, though will still cost large sums of money to obtain, with costs ranging between $1,000 and $482,000. The less expensive assessments have likely been wrapped into annual self-assessments, meaning the largest costs remain.
Self-assessment affirmations put companies at risk for False Claims Act suits. Assuring your self-assessments are accurate and will not cause you lawsuits could require outside council; this is a potential added cost.
Lastly, due to CMMC’s short existence we can expect changes small and large in the short and long term as the program continues to develop and key issues come to light.