What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC brings together a number of previous compliance processes into one unified framework including NIST SP 800-171 and other government regulations.

Cybersecurity preparedness is becoming increasingly critical with ongoing threats to the nation’s economic and national security from foreign actors, and as a result, the DoD considers the CMMC program a vital part of the government’s response to these threats.

In November 2021, the DoD announced CMMC 2.0, an updated program that will streamline the current CMMC model from 5 to 3 compliance levels, use NIST cybersecurity standards, and allow demonstration of compliance through self-assessments for companies at Level 1 and a subset of Level 2.

CMMC 2.0 Key Features

The CMMC 2.0 program has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information.
  • Assessment Requirement: CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

According to DoD Director of CMMC Policy Stacy Bostjanick, the federal rulemaking process around CMMC 2.0 will be complete by March 2023, which opens the door to the inclusion of CMMC 2.0 language in DoD contracts, which the DoD will begin doing in May 2023.

Figure 1: OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)

What Happens After CMMC 2.0 is Implemented?

Although companies not CMMC 2.0 certified by the deadline can still get contracts, they will be provisional. Final approval will require an up-to-date score posted in the DoD’s SPRS database, as well as an attestation from a senior company official that the score is accurate. Following this will be a 180-day grace period to get the CMMC 2.0 Level 2 certification in order to continue doing business with the DoD.

Because subcontractors are required to have the same compliance level as the prime, the list of requirements can be daunting for smaller companies without dedicated cybersecurity teams. In addition, it can be difficult to keep track of compliance on an ongoing basis without the necessary resources to do so. 

For small to medium size contractors, the loss of essential federal government contracts due to noncompliance could mean the difference between staying in business and being forced to close their doors. In addition, those who earn CMMC 2.0 certification early on will have an additional competitive advantage against companies who wait until later. 

Because the DoD does not have the resources to validate everyone, companies need a third party auditor (C3PAO Certified Third Party Assessment Organization) to grant CMMC 2.0 certification. Although JS Solutions is not an auditor, its expert team is a resource that can help fully prepare your company for the audit process.

How Can JS Solutions Help Your Company Become CMMC 2.0 Compliant?

The JSS expert team begins with an initial assessment in which they determine where your company is now, where it needs to be, and what time and resources will be required to meet the final goal.

The team will then conduct a Gap Assessment, during which they determine the steps needed to address critical issues and help your company to develop a plan of action and milestones. Because there is no one-size-fits-all approach to security, this is a highly individualized process that is custom tailored to the specific needs of the business, taking into consideration factors such as business model, budgetary constraints and personnel needs. 

Because JSS also understands that a lot can change in a short period of time, the individualized plan includes reviews to ensure that the plan is continuing to meet the needs of your company and the milestones are being met.

How Can JSS Help Your Small Business Meet CMMC 2.0 Standards On Time and Under Budget?

While some large cybersecurity compliance businesses use scare tactics to charge premium rates to smaller businesses to retain certification, JSS offers big business-quality expertise custom tailored to the needs and budgets of smaller businesses.

While it primarily serves the sub-100-person business, JSS also has the capacity to assist larger organizations or the Federal customer directly with the goal of acting as a force multiplier for any organization in their cybersecurity and risk management teams to enable them to achieve compliance and to continually monitor, mitigate, and prevent risks to their information systems.

What Role Does JSS Play During the CMMC 2.0 Audit?

In addition to helping your company prepare for the C3PAO audit, JSS will work with it throughout the process to help meet all accreditation challenges. When the assessors leave, JSS will be there to help your company correct any deficiencies found during the audit and will help your company to remain compliant throughout its lifecycle.

Need more info? Contact JS Solutions here