In a cyber-world, cyber threats are a continuous challenge. The Cybersecurity Maturity Model Certification (CMMC) framework is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors.
This framework is meant to hold contractors accountable for their security system requirements. The CMMC pilot program (CMMC 1.0) was assessed in March 2021 and resulted in updates to the structure and requirements to streamline and improve the program.
The assessment included more than 850 public comments and feedback from industry, Congress and other stakeholders, which helped drive the response to:
- Reduce costs, particularly for small businesses.
- Increase trust in the CMMC program.
- Clarify and align cybersecurity requirements to other federal requirements and standards.
- Cut red tape for small and medium-sized businesses.
- Set priorities for protecting DoD information.
- Reinforce cooperation between the DoD and industries addressing cyber threats.
CMMC 2.0 will implement program changes after it completes the rulemaking process, which could take 9-24 months. GovCons will be required to implement cybersecurity protection standards, perform self-assessments or obtain third-party certification as a condition of DoD contract awards.
CMMC 2.0 reduces cyber-security from five to three:
Level 1: Foundational
Level 2: Advanced
Level 3: Expert
Who does CMMC 2.0 Impact?
The rule applies to defense industrial base (DIB) contractor’s unclassified networks that process, store or transmit FCI or CUI.
“DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.”
What’s at risk for GovCons?
Companies should be proactive in continuing to build and maintain compliance programs, evaluate and harden their cyber-security while the rulemaking process continues. The Department of Justice’s Civil Cyber-Fraud Initiative will be focusing on GovCons that fail to comply with cybersecurity standards.
WJ Technologies helps GovCons stay on track and in compliance. Contact us for more information.