The June 2021 cyberattack on JBS — the world’s largest meat supplier — wasn’t the first significant security threat the nation faced last summer. Hackers made away with $4.4 million after breaching the Colonial Pipeline just three weeks prior.
Since then, Americans have felt the impacts of increasing cyberattacks with rampant supply chain disruptions throughout the gas and food industries.
In May 2021, President Biden prioritized signing a new Executive Order outlining efforts to mitigate breaches and safeguard U.S. national security.
Part of the efforts highlight the Department of Defense (DoD)’s modifications to the Cybersecurity Maturity Model Certification — or CMMC.
The rules are simple. Businesses tendering federal contracts containing sensitive details or conducting operations with other governmental suppliers must comply with CMMC practices.
Improvements To CMMC
To meet growing security protection concerns, the DoD has sought improvements to CMMC. As a result, CMMC 2.0 may affect companies in the following three ways.
Streamlines CMCC Standards and Processes
The latest upgrade to CMMC 2.0 aims to streamline its processes per the National Institute of Standards and Technology’s cybersecurity standards.
With the new model, CMMC reduces the compliance levels from five to three, ultimately generating a more straightforward standard for companies to follow while protecting sensitive DoD information.
Eliminating Levels 2 and 4 from the initial implementation of CMMC, the three new CMMC 2.0 levels — categorized as foundational, advanced, and expert — are as follows:
Level 1
This level applies to companies with Federal Contract Information and requires protecting information not considered a national security risk.
The first level of CMMC 2.0 requires a third-party assessment, and company executives must provide an annual compliance certification.
Level 2
Level 2 refers to enterprises with Controlled Unclassified Information (CUI). Rather than obtaining a third-party assessment, contractors may be allowed to self-certify — although threshold requirements are still in development.
Level 3
This level pertains to high-priority companies and programs with CUI. All contractors seeking Level 3 certification must hold Level 2 certification.
At most, Level 3 requires partial compliance, but the DoD is still mapping out the necessary standards.
The final CMMC 2.0 rules have an anticipatory publication of late 2023 or 2024. However, the DoD is encouraging defense industrial base companies to undergo Interim Assessments, valid for three years.
Ensures Greater Compliance
Like any significant rule changes, the regulatory risk implications are high as some of the CMMC 2.0 updates could accrue costly fines during adaptations — yet CMMC 2.0 improves compliance for enhanced security with reduced costs.
The changes allow Level 1 and some Level 2 enterprise to demonstrate their cooperation with CMMC 2.0 through self-assessment.
The self-assessment is permitted only for non-priority acquisitions, and companies will have to send executive-level verification to the Supplier Performance Risk System (SPRS) after completing the steps for Level 2.
Third-party assessments are still mandatory for priority acquisitions, and companies are responsible for obtaining third-party reviews and certification.
Similar to tax audits, the DIB Cybersecurity Assessment Center (DIBCAC) may select any contractor to undergo auditing. A DIBCAC audit looks at a company’s data protection and checks its compliance score in the SPRS.
Of course, higher accountability for enhanced cybersecurity means more oversight of compliance criteria.
To further enforce CMMC 2.0 compliance, the Department of Justice developed the Civil Cyber-Fraud Initiative under the False Claims Act to investigate contractors who withhold or forge inaccurate SPRS scores.
Allows for Flexible Implementation
Under certain circumstances, companies can follow Plans of Action & Milestones (POAMs) for obtaining CMMC 2.0 certification. The new model — developed by the DoD — is for rendering greater flexibility in putting the updated compliance measures into effect.
With POAMs, the DoD aims to specify benchmarks contractors must meet within 180 days, accounting for the changes to the new levels and procedures for certification, compulsory assessments, and execution of cybersecurity protections.
The DoD decided to allow companies to follow POAMs after small and medium-sized businesses expressed concerns about their ability to meet CMMC 2.0 standards promptly.
Better Protections for Safer Business
The updated CMMC 2.0 secures secure every aspect of the DoD’s supply chain. While companies must adjust the compliance changes accordingly, these advanced protections will create safer, more streamlined business practices between contractors and critical governmental departments.