New Relaxed CMMC 2.0 Requirements Published
Bottom Line: Reduce the Risks of Cyber Attacks
By: John Hensberger, Managing Partner of Black Bottle IT
On November 4, 2021, the latest updates on CMMC were published by the U.S. Department of Defense. The strategic direction has brought about much commentary about the changes and reflections on the original goals.
Recap How We Got Here with CMMC 2.0
In January of 2020 -- CMMC 1.0 requirements and roadmap were published.
It had five levels of cybersecurity maturity:
In November 2021 -- CMMC 2.0 requirements were released.
Three levels will be continued to flesh out over the next few months:
Why the change?
The CMMC 1.0 may have been too much too soon for the industrial base to handle. Burdening companies with the cost of third-party assessments, new cyber security technology, and other new expenses is a crucial driver to the changes. Also, the five levels of assessment and roadmap to achieve the proper level of compliance have confused some companies and takes some expertise to be able to interpret probably. Streamlining the requirements was also a significant objective for CMMC 2.0. Reducing the number of levels from five to three and reducing the requirements for 3rd party assessments should lessen the immediate financial burden from the industrial base.
What is the impact?
Under CMMC 1.0, most manufacturers would have had to adhere to 130 practices in the DOD supply chain and a third-party assessment by a qualified CMMC assessor (to reach CMMC 1.0 Level 3). However, with the new CMMC 2.0, companies in the industrial base, have access to critical national information will need to be assessed by a qualified third party, and most companies will be allowed to perform self-assessments. While this makes it easier and lessens the financial burden, it also lengthens the time for implementing critical cyber security programs/technology for companies that are very much at risk for cyber attacks.
What are the Responses from the industrial base and the 3rd party service providers?
As the high-profile security breaches have hit mainstream news cycles, it seemed CMMC 1.0 had arrived just in time. Mandates for increased cyber security posture to protect critical supply chains and protect critical national information are necessary. In addition, many third-party service providers started gearing up their practices to be in a position to provide guidance and assessments to meet the new requirements. Upon release of the new "relaxed" CMMC 2.0 requirements, the industrial base received a little reprieve from meeting these new challenging requirements. At the same time, the third-party providers voiced their concerns that the CMMC 2.0 doesn't go far enough to achieve its mission.
Black Bottle IT has spoken with many potential/existing clients about CMMC, and the sediment is generally the same. Manufacturers understand their risk and obligation to protect sensitive information. They also understand that future budgets must have increased spending in these areas. But, they are slow to make significant investments; instead, creating more minor incremental improvements seems like a reasonable path forward. Make no mistake, CMMC 2.0 relaxed its original requirements only temporality in an attempt o heed the feedback from the industrial base. Future versions of CMMC will roll in more standards and ultimately get to a more complex and demanding compliance framework needed to protect critical supply chains and critical national information.
Companies trying to adhere to the new requirements need cyber security/compliance expertise. This talent is short in supply and high in demand.
Attracting this talent and or finding the best third-party service providers to guide your business through new and future requirements is a challenge for the industrial base.
When data within your organization is protected, the risk of a cyber attack is reduced, and your Department of Defense or Government Contracts are at less risk.
Helpful links for CMMC info
About the Author: This blog was written by John Hensberger, Managing Partner of Black Bottle IT. As Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014. Connect with John here.