The United States Department of Defense (DoD) has released a revision to the Cybersecurity Maturity Model Certification (CMMC) 1.0 framework. Their goal is to streamline and accelerate the enforcement measures already in place for CMMC.
If you’re wondering what has changed and how it will affect your business, we’re here to help.
The first thing you should know is that the changes are only structural, and the core of the program hasn’t changed. If your organization is in the Defense Industrial Base (DIB), you’re still required to adopt and implement advanced security controls to protect sensitive, unclassified DoD data.
With CMMC 2.0, the DoD is doubling down on the requirements of the Defense Federal Acquisition Regulation Supplement subsection 7012, which uses the NIST 800-171 security framework. These regulations have been in place since 2016, but now the DoD is getting tougher on enforcing these requirements with a focus on accountability. You’ll need to comply with them more quickly, and often with more scrutiny.
We don’t mean to imply that the revised standard is full of bad news, though. Along with the accelerated deadlines and increased scrutiny comes a certain amount of flexibility for organizations.
Self-Certify Your Organization and Save Money
One of the biggest developments in CMMC 2.0 is that level one and non-prioritized level 2 organizations can now self-certify their compliance. This is good news for companies that don’t relish the idea of hiring an expensive consultant to come in and handle their certification.
Of course, with greater freedom comes greater responsibility. If your company is allowed to self-attest, you’ll need to self-attest once every year and your organization's leadership will be required to affirm compliance. Organizations that fail to submit their assessments to the SPRS system, or submit fraudulent certification information—will be subject to penalties as defined within the DoD’s terms of the acquisition contract at the very least.
Companies will be allowed/required to self-attest to the SPRS only if the contract does not require a C3PAO audit.
Four More CMMC 2.0 Considerations
Here are four other highlights of the revised standard:
- Faster rollout. There’s no longer a five-year rollout period for the updated standard. With 2.0, it’s a 9-to-24-month rollout. At the end of this period, all affected organizations will need to be compliant.
- Broader impact. With CMMC 2.0, any company that handles any DoD data—even the lowest classification of Federal Contract Information—is required to self-attest to compliance and report its findings to the DoD.
- Greater accountability. C-level executives will now be required to attest to their organization’s compliance at all levels.
- Increased scrutiny. Organizations that are allowed to self attest their compliance must do so once a year. Organizations that require a C3PAO audit will be required to undergo an audit once every three years.
Take the Next Step
Since 2018, Cocoon Data has been helping our customers secure regulated data that’s controlled by NIST 800-171 and DFARS 7012. Our advanced security controls and architecture can help companies achieve the controls required by CMMC 2.0.
We’ve found that most companies affected by the old CMMC framework now have more responsibility and less time to implement controls. Their costs won’t necessarily rise, but they’ll struggle to find the manpower to get compliant. What they need is not only a cost-effective solution, but one they can deploy quickly.
Our file sharing solution is now more relevant than ever given its simplified deployment and advanced security features. Cocoon Data covers 31 percent of the CMMC controls that affect almost all DIB organizations under CMMC 2.0 ML 2 controls.
Learn more about our CMMC 2.0 coverage >