CMMC 2.0, the recently updated DoD program to ensure contractors protect sensitive government data, aims to simplify the compliance processes of the program’s original version. However, I believe the new rules might raise more questions than they answer for businesses hoping to win a defense contract.
If there’s one area where we want our government to hold its private sector partners to the highest standards of excellence, it’s safeguarding the sensitive data those businesses must hold and use to fulfill their government contracts – particularly data that could affect national security.
The Cybersecurity Maturity Model Certification (CMMC) is one attempt to achieve that objective – a program designed to ensure any defense contractor handling sensitive information adheres to the highest standards of cybersecurity sophistication and can prove so through third-party assessment.
But when the DoD rolled out the program in 2020, defense industrial base (DIB) companies expressed frustration at the difficulty and cost of achieving certification. So the government responded in late 2021 with a simplified and more flexible CMMC 2.0.
Here’s the question: Will the simplified requirements of CMMC 2.0 make it easier or more difficult for contractors to become – and remain – compliant? I’d argue it’s the latter, and here’s why.
The Problem: More Relaxed Guidance Creates Confusion
From a DIB contractor’s standpoint, almost every change between CMMC and CMMC 2.0 represents both a potential benefit (e.g., opening more paths to certification) and a challenge (e.g., leaving open the question as to when the company can claim it has reached compliance). Here are a couple of examples:
1. Can a contractor be sure its self-assessment will withstand scrutiny?
Where the original CMMC demanded third-party assessments to demonstrate compliance with cybersecurity standards, version 2.0 allows contractors (at least for lower-level certifications) to assess their own operations.
Although this sounds like it can save time and money – particularly beneficial for smaller contractors – self-assessment can introduce confusion and risk. Can a DIB contractor be confident an audit will affirm the claims made in its self-assessment? And will the company’s senior officials (e.g., CEO or president) feel comfortable attesting to the compliance claims made in the self-assessment, knowing they are personally accountable for those claims?
2. Will not-yet-fully-compliant contractors benefit from a POAM, or will it create a new challenge after their organization earns certification?
Another feature new to CMMC 2.0 is that DIB contractors can complete the certification process without being 100% compliant with CMMC’s demands – if they submit a Plan of Action and Milestones (POAM) and can complete that plan within the allowed grace period (POAMs were not allowed in CMMC 1.0).
Again, this could be great news for contractors. It means businesses can earn CMMC certification and begin applying for defense contracts before they’ve checked all of the compliance boxes, assuming the government approves their POAM. But this approach also carries risk.
If an organization earns CMMC certification partially on the promises of its POAM – but fails to complete the plan within the grace period – the company could have its certification stripped and any contracts it depends on canceled. That could represent significant costs, lost opportunities and a damaged reputation with DoD buyers.
The Defense Department explicitly states on the CMMC website that its top goal with CMMC 2.0 is to help “simplify compliance.” But as the examples above illustrate, relaxing guidance can also make it more difficult for DIB contractors to firmly grasp the rules and to know whether their processes meet the DOD’s standards.
As reported, during the public comments process of introducing CMMC 2.0, one private-sector executive described the problem this way: “The single greatest challenge… is the fact that the US government does not want to tell the industry how to do things, yet the industry desperately wants to be instructed exactly how to achieve the goals and objectives of each prescribed control.”
The Answer: Find a CMMC Expert
To address the complications and confusion introduced by CMMC 2.0, I’d suggest two courses of action – one for the DoD itself and the other for any would-be DIB contractor.
For the Defense Department, I hope we will soon see clarifying language and additional guidance on CMMC 2.0 compliance. And let’s give credit where it’s due: The DoD showed tremendous flexibility and speed in adjusting its original CMMC program based on contractors’ feedback. That gives me confidence they will act to make the new program’s rules and processes clearer as well.
For defense contractors, my advice is to partner with a CMMC expert. Don’t try to navigate the process alone, particularly if cybersecurity and IT aren’t your core business. There are organizations out there, such as MSSPs, that can walk you through the CMMC compliance process step by step – so you can earn your certification and begin going after lucrative DoD contracts.