Technological advancement is also paving pathways for cyber attackers and hackers. As a result, the past few years have seen enormous amounts of stolen data from individuals and companies, small and midsize businesses (SMBs), and government institutions. According to the most recent estimates, cyberattacks pillage around $600 billion each year from the global GDP. These global concerns have led to strict measures and policies to enhance cybersecurity and safeguard sensitive information.

Like other government institutions, the Department of Defense (DoD)—perhaps the most crucial branch to national security—also faces the risk of cyberattacks and data theft. As DoD works with countless contractors, third-party companies, and individuals, their system is more vulnerable to foreign attacks. For example, the Pentagon alone receives more than 35 million phishing emails each day to breach the system’s security. Moreover, foreign powers are always trying to hack into the governmental database to exploit the system and steal important security information apart from phishing attacks.

To tackle all these risks and reduce national security vulnerabilities, DoD introduced the first-ever Cybersecurity Maturity Model Certification, the CMMC framework. This CMMC framework was created in 2020 and is now termed CMMC 1.0. Before the introduction of CMMC, all partners of DoD or other government institutions were supposed to carry out their necessary cybersecurity measures independently. This certification calls for a third-party audit to keep the systems more secure and protected. In addition, this training, certification, and third-party assessment program assesses defense contractors’ cybersecurity capabilities and readiness to secure the controlled unclassified information and other federal contract information.

CMMC 1.0 was a comprehensive framework with five levels, ranging from basic cyber hygiene to the most optimized and advanced practices. Although it was not flawed or ineffective, it needed to adjust to the evolving cyber-threat landscape. Therefore, the U.S government introduced improvements to the certification to make it easier for SMBs to attain the required controls to achieve federal contract opportunities. They also updated the CMMC framework according to the affected parties and contractors’ overall response and more than 850 comments. CMMC 2.0 is the resulting certification. It has opened new pathways for SMBs, and the overall levels are now reduced to three instead of five. Moreover, it also allows contractors to conduct self-assessments to comply the Level-1 of CMMC 2.0, making it a more flexible version of CMMC 1.0.

An Overview of the New Updates in CMMC 2.0

The most significant changes that the U.S government introduced into the CMMC framework include:

• CMMC 2.0 now has only three levels of cybersecurity compared to the previous five levels. These levels include Foundational (Level-1), Advanced (Level-2), and Expert (Level-3). These levels differ for companies and contractors dealing with the type of information, as the first level applies to almost all defense industrial base (DIB) companies. In contrast, the latter two apply to companies with access to more sensitive information.
• CMMC 2.0 also reduces the cost associated with the certification process for small contractors and sub-contractors that fall under Level-1, allowing annual self-assessment for those companies.
• CMMC 2.0 employs a Plan of Action and Milestones (POA&M) requirement, which mandates companies to submit a plan for their ongoing cybersecurity management operations. In addition, CMMC 2.0 requires companies to identify and report any other security-related conditions in the framework that is yet to be met. The plan of action allows companies to continue improving their cybersecurity measures.

The Impact of CMMC 2.0 on Government Contractors

CMMC 2.0 is more refined, flexible, and lenient to help reduce the cost associated with training and certification for the majority of the contractors; it also helps accelerate the process of accreditation. CMMC 2.0 eradicated Level-2 and Level-4 that was introduced initially in CMMC 1.0 – a simplified method was devised by dividing the levels according to the information exposed to the contractors. Around 300,000 contractors are working with DoD, and it was almost impossible to get them certified with the previous version of the certification. Therefore, DoD made it more friendly for the companies and allowed them to use POA&M to continue working before fully complying. However, CMMC 2.0 is still not fully updated and implemented as it will require the next 9–24 months in full implementation and operation.

If your company is working with DoD, it is still required to follow NIST 800-171 to design and implement cybersecurity measures until the transition to the newer version of certification is complete from DoD’s side as Level-1 is now based on self-assessment of the contractors dealing with Federal Contract information only. It includes 17 controls of the previous CMMC 1.0 Level-1, whereas Level-2 has 110 controls of NIST 800-171. The Level-3 or expert level is still under development; the government will oversee it.

Conclusion

As the threat landscape continues to evolve, so do controls and processes. Therefore, security frameworks that guide some of the most sensitive information must consistently align to remain proactive in the face of evolving cybersecurity threats. The recent changes to the CMMC framework ensure that small and midsize businesses can benefit from the advantages of attaining a federal government. As such, the DoD reduced the costs associated with CMMC 2.0 certifications and allowed companies to present their plan of action to improve their security gradually.

Overall, complex requirements tie CMMC 1.0 and CMMC 2.0 together, with subtle differences that knowledgeable professionals with CMMC-related materials must assess. However, for entities that are already CMMC 1.0 compliant, the process to attaining CMMC 2.0 certification will be relatively straightforward and affordable. Therefore, engaging with a reputable CMMC-accredited team will ensure that critical requirements are met in a timely fashion.