Those businesses that work in the Defense industry, referenced as DIB or Defense Industrial Base, are probably already aware that the United States Government has changed the rules (again) for data security. The Cyber Security Maturity Model Certification (CMMC) was introduced just recently in 2019 followed by the Defense Federal Acquisition Regulation (DFARS) shortly after in an effort to bolster data security around sensitive information. The process can be confusing from registering on the PIEE (Procurement Integrated Enterprise Environment) site to uploading scores to the SPRS (Supplier Performance Risk System) site. We are one paragraph into this blog post and readers are already drowning in acronyms. Unfortunately, there are a lot of necessary ones surrounding this topic.
We can all probably agree that having solid data security practices surrounding data and information related to national security is a good and necessary thing. Unfortunately, our government is still trying to get it right. The first release of CMMC (CMMC 1.0 as it is now known) had many excellent technical recommendations. DIB businesses however pushed back heavily on the amount of extra cost and effort required to meet the requirements. An analysis of the pushback lead to the conclusion that Department of Defense (DoD) supply chains may be at risk without some changes. Introduce CMMC 2.0.
The most obvious change in CMMC 2.0 is that we know see three levels of certification as opposed to five in CMMC 1.0. The levels have been renamed and below is a comparison of the 1.0 and 2.0 models.
The simplification of the model also applies down to the three levels in that fewer requirements now exist in each level. Foundational level compliance can be completed using a self-assessment now which was not allowed under CMMC 1.0. The Advanced level and Expert level compliance require a certified auditor with the requirements ramping up at each level.
Another major change is that CMMC 1.0 allows for the use of POA&Ms (Plan of Action and Milestones) to show an intent to comply by a certain date. In order to use this stipulation, an organization must note which regulation is being addressed, a detailed plan of action to come into compliance and a completion date expected. This intent to comply will suffice where as CMMC 1.0 had no such leeway.
A little bit of good news for businesses in the Defense industry. Many of the regulations are based off of past compliance standards like NIST 800-171 which many businesses had already either been in compliance with or working on compliance with. It is not a complete re-invention of the wheel.
Unsure if your organization is required to comply or unsure what steps your business needs to take? Contact our experts at (888) 600-4560 or email us at info@coldencompany.com . Unfortunately, not knowing the law is never an excuse for not abiding by it.