On November 4, the Department of Defense (DoD) announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, which marks the completion of an internal program assessment led by senior leaders across DoD. 

CMMC 2.0 brings about a number of changes which DoD will be pursue through the rulemaking process and will include public comment periods. 

Listen to Neal Beggan, a Principal in Cherry Bekaert’s Information Assurance & Cybersecurity Practice, selected as one of the first Provisional Assessors nationwide by the CMMC Accreditation Body, and Eric Poppe, a senior manager in the Firm’s Government Contractor Services Group, as they discuss DoD’s modifications and their potential impact on contractors and subcontractors in the defense industrial base (DIB).

 Changes include:

•  Eliminating levels 2 and 4 of the framework and using National Institute of Standards and Technology (NIST) cybersecurity standards
• Companies at Level 1, and a subsection of companies at Level 2 will only be required to demonstrate compliance through annual self-assessments
• Triannual third-party assessments at Level 2 for critical national security information, as well as triannual government-led assessments at Level 3
• Increase in oversight of professional and ethical standards of third-party assessors
• New waiver processes for select requirements - DoD indicated:
  •  “Under certain limited circumstances”, companies can make “Plans of Action & Milestones (POA&Ms)” to achieve certification
  • “Under certain limited circumstances”, waivers to CMMC requirements will be allowed

 DoD is also suspending the current CMMC pilot program for select contracts and will not approve any CMMC requirements in DoD solicitations while the rulemaking is underway. The Defense Department further indicated that it is looking at providing incentives to contractors who voluntarily obtain certification during the interim period and more information will be forthcoming. 

View all Government Contracting Podcasts