DoD contractors are seeking clarification on timelines and actionable solutions to take them down the path to cybersecurity maturity within the CMMC 2.0 program.
That was a mouthful.
And if you’re a small or medium size DoD contractor looking for CMMC 2.0 solutions and guidance, you’re in the right place to get answers.
Here’s what you’ll learn in this post:
- What Is CMMC 2.0? (Brief Overview)
- What Are The Timelines For Reaching The Three Maturity Levels?
- Are Cloud Solutions Viable?
- Are SPRS Scores Tied To CMMC Maturity?
- What Actions Do You Need To Take Today?
Systems Management Enterprises, Inc., is a Virginia-based Information Technology and Security Company offering a portfolio of compliance-tested, cost-effective solutions for small and medium enterprises in the DoD space.
If you could use some expert assistance navigating the complex world of CMMC compliance and cybersecurity, get in touch with our team today.
Now let’s drill down into CMMC 2.0 and its impact on DoD contractors. We’ll get started with a quick review of the basics.
What Is CMMC 2.0 (Brief Overview)?
In a nutshell, the Cybersecurity Maturity Model Certification is a maturity model that represents a culmination of efforts by the DoD. The intent is to safeguard federal contract information (FCI) and controlled unclassified information (CUI) routinely used and processed by the defense industrial base, or DIB.
The DIB comprises over 100,00 diverse contractors and subcontractors supplying a broad spectrum of products and services to the DoD.
The foundational standards codified in CMMC 2 derive from the National Institute of Standards and Technology (NIST) SP 800-171 specification. Here’s how NIST defines the specification:
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012
CMMC 2.0 supersedes CMMC 1.0, which was DoD’s first attempt at a cybersecurity maturity model. CMMC version 2.0 streamlines the original model from five maturity levels to three, and from 171 practices to 110 that more closely align with NIST SP 800-171.
Based on the current state of the CMMC program, we’re getting this next question a lot from our DoD contractor clients.
What Are The Timelines For Reaching The Three Maturity Levels?
Let’s review the evolution of the CMMC 2.0 cybersecurity model and update you on what you need to do next as a DIB contractor.
DoD did a 9+ month review of CMMC 1.0 from late 2020 well into 2021, without releasing any meaningful information. There was a fair amount of industry chatter about what was happening with the process, but nothing official.
This quiet period continued well into 2021, and nothing much new happened until November 4. That’s when the official release of CMMC 2.0 was officially announced.
From the DoD press release:
The enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, while:
Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
Increasing Department oversight of professional and ethical standards in the assessment ecosystem.
Activity around CMMC 2.0 picked up significantly after the press release, in the form of DIB discussions, speculation, webinars, etc. The scuttlebutt continued throughout calendar year 2022.
So here we are in mid-2023. We’re advising our clients that one of the most consistent talking points from DoD over the past 18 months has been that it will officially introduce CMMC 2.0 into the rule-making process for a 2023 rollout.
It appears that the CMMC 2 rulemaking process is imminent.
So what do DIB contractors need to know about CMMC 2.0 in 2023?
Based on our experience, we think it’s likely that we will start seeing CMMC 2.0 requirements in DoD contract language this summer, possibly by late July or August.
The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
That puts the rulemaking process and timelines at November 2023 at the latest. But it’s important to note that the rulemaking process is largely complete, and many of the initial public comments have been incorporated in CMMC 2.0.
What’s the bottom line? If it’s released to rulemaking in June with minimal public comments, CMMC 2.0 could potentially take effect immediately.
Contractors are looking for solutions and a path forward for compliance.
Are Cloud Solutions Viable?
Our team is fielding tons of questions about cloud services as potential solutions for CMMC 2.0 certifications.
Generally speaking, cloud solutions can be an excellent path to reach CMMC 2 maturity. The Azure cloud, for example, offers secure, scalable, compliant solutions.
Specifically, the Azure Cloud Platforms in Azure Commercial, Government Community Cloud (GCC), and GCC High have certain features and functionality designed to meet specific CMMC 2 requirements.
We can help you navigate cloud solutions in the context of cost, timelines, and viability.
Are SPRS Scores Tied To CMMC Maturity?
We wanted to clarify a few persistent questions we’re getting from our clients concerning SPRS scores and CMMC 2.
While these two programs are not officially tied together in any way, there is some overlap.
While your SPRS score is independently calculated, it is based on a points system that’s tied to each of the 110 controls in the CMMC program.
So contractors can potentially increase their SPRS score, improve CMMC readiness, and at the same time improve their chances of winning DoD contracts by completing a NIST 800-171 assessment.
Now let’s consider your next steps.
What Action Do You Need To Take Today?
Is the looming CMMC 2.0 program mandate keeping you at night? Are you a DoD contractor with questions about CMMC, SPRS, and cloud solution requirements?
Regardless of where you are in your compliance journey, we’re here to help with cost-effective, small-business-optimized cybersecurity solutions.
Let us handle your information security so you can focus on growing your business.
Right now, we’re offering a complimentary CMMC 2 cybersecurity compliance assessment with no obligation and no cost to you.
That’s right, you have everything to gain and nothing to lose.
Call us at 703-378-4110 to schedule Your Free Cybersecurity Assessment Today!