Separating Fact from Fiction: Debunking Myths Around CMMC 2.0

Jason Sechrist
Author: Jason Sechrist, CIA, CISA, Director of Product Solutions - CrossComply, AuditBoard
Date Published: 25 May 2022

Editor’s note: The following is a sponsored blog post by AuditBoard.

With more than 220,000 companies supporting the US Department of Defense, the defense industrial base presents an enticing target for hackers, nation-states, and cybercriminals. On 4 November, 2021, the Department of Defense announced that it would replace the Cybersecurity Maturity Model Certification (CMMC) 1.0 with CMMC 2.0. The new, streamlined framework exists “to protect the defense industrial base from increasingly frequent and complex cyberattacks.”

In its new form, CMMC 2.0 aims to reduce red tape for small and medium-sized businesses, establish priorities for protecting DoD data, and foster cooperation between the defense industry and the DoD in combating cyber threats.

When introducing new compliance standards or revising existing regulations, the anticipation of changes can often create myths. Failing to separate fact from fiction can cause your organization to misunderstand how the compliance landscape will shift, leading to a failure to comply and putting DoD contract eligibility and revenue at risk.

CMMC 2.0 Myth Busting
We’ve collected four important myths to dispel regarding CMMC 2.0 that, if left unaddressed, could leave your organization unprepared and out of compliance.

Myth #1: CMMC is in limbo.
During a six-month review process, the DoD gathered extensive commentary from the defense industry to develop CMMC 2.0. CMMC 2.0 will not be a contractual provision until the completion of the rule-making process. The DoD expects to complete that phase within 9 to 24 months. It will then become a contract requirement.

Takeaway: CMMC 2.0 is moving forward. While contractors may feel they are in limbo due to the six-month review process, there are no indications that the DoD will fail to complete the rule-making process within its window.

Myth #2: Compliance will become less expensive under CMMC 2.0.
CMMC 2.0 changed the assessment process, including the frequency and use of third parties. Instead of undergoing a third-party assessment, Level 1 companies under CMMC 2.0 will complete an annual self-assessment to cover specific elements outlined in the framework. Level 2 contractors will undergo a third-party assessment every three years, while Level 3 will be subject to government-led assessments.

Takeaway: Level 1 contractors will not need to budget for additional third-party fees. Level 2 and Level 3 will need to set aside the budget to prepare and/or pay for third-party audits and support periodic audits by the government.

Myth #3: It’s OK to wait until Level 3 requirements become public.
While the exact requirements are under development, the government has stated that level 3 will require a subset of NIST SP 800-172. Furthermore, Level 2 will incorporate 110 practices from NIST SP 800-171. Also impacting the timeline for compliance will be the bottleneck of service providers eligible to perform third-party assessments for contractors who are required to have Level 2 Compliance. At the time of this article, there are only eight service providers that are accredited 3PAOs.

Takeaway: Since Level 3 will rely on a subset of NIST SP 800-172, your company can use the time before the exact requirements become known to assess its ability to comply and begin vetting, selecting, and scheduling your 3PAO partner.

Myth #4. Once finalized, CMMC 2.0 will apply retroactively.
Existing DoD contracts will not receive a blanket modification to reflect CMMC 2.0 and its requirements. Instead, new or recompeted contracts will reflect CMMC 2.0. Taking the time to prepare now will allow your company to compete for new and existing contracts.

Takeaway: Since CMMC 2.0 will not apply retroactively, the compliance burden for contractors is a little lighter. However, having removed that burden, the government’s expectations regarding compliance for new or recompeted contracts will conceivably be higher. This justifies starting the compliance effort sooner rather than later.

Preparing for CMMC 2.0 Compliance
For companies that support the United States’ defense efforts, compliance with cybersecurity standards is a matter of national security and critical to maintaining defense contracts.

While some aspects of CMMC 2.0 are under development, it’s not too early for your company to focus on achieving compliance by automating compliance management where you can centralize risk and compliance activities, measure your maturity, and increase visibility into status for executives. The final regulation implementing CMMC is expected in nine to 24 months. It can take up to 18 months for companies to get ready — compliance professionals don't have as much time as they think.