In July 2023, the U.S. Defense Department forwarded its strategy for the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework to the Office of Management and Budget (OMB) for evaluation. The move initiated the long-awaited rulemaking phase for CMMC 2.0.
OIRA (The Office of Information and Regulatory Affairs, a subset of OMB) was slated to conclude its review of the CMMC regulation within 90 days after its submission in July. This timeline would have marked October on the calendar for a decision. Now in November 2023, anticipation is high as we await further developments.
According to MeriTalk, November/December was floated as a possible decision timeframe at the Billington Cybersecurity Summit. But we can’t say anything for sure.
What Updates Are We Waiting For?
The review process is building toward a pivotal decision by the OIRA to publish CMMC 2.0 as a proposed rule or enact it as an interim final rule. Here’s an overview of what to expect in either scenario.
If Released as a Proposed Rule
The most likely of the two outcomes, a proposed rule from OIRA means that CMMC 2.0 will be released for public comment for a 60-day stretch of time. But it wouldn’t end there. It’s widely known that the proposed rule cycle can take upwards of a year to reach final rule status, possibly cementing CMMC 2.0 into law in late 2024 or even 2025.
If Released as an Interim Final Rule
If released as an interim final rule, the CMMC 2.0 could become active within 30 days, speeding up its enforcement. This is a much less likely scenario given the complexity and scale of CMMC 2.0.
What CMMC 2.0 Finalization Means, Regardless of the Timing
Finalization will mean that CMMC accreditation is mandatory for contractors dealing with any CUI. Lack of certification could lead to forfeiture of DoD contracts and difficulty procuring them in the future. Adapting to CMMC will mean defense contractors must allocate funds to enhance their cybersecurity measures to align with DoD criteria, incurring further compliance expenses.
A CMMC 2.0 Recap
You may recall CMMC was rolled out in 2020 as a rigorous cybersecurity framework with 5 levels of compliance for defense contractors handling sensitive data. After industry feedback, the streamlined CMMC 2.0 emerged in 2021:
- Just 3 maturity levels now (Level 1 minimum for all DoD contractors, Levels 2 & 3 for frequent CUI handlers)
- Self-assessments allowed for Levels 1 & 2, reducing compliance costs
- Stricter standards imposed on 3rd party assessors
- “Plans of Action” permitted for building toward compliance
- Waivers possible for urgent contracts needing exception
- 14 domains now vs. 17 originally
CMMC 2.0 takes cues from the NIST cybersecurity framework (NIST 800-171 through NIST 800-172), which provides guidance on protecting the confidentiality of controlled unclassified information (CUI) in nonfederal systems and organizations.
The NIST 800-171 cybersecurity framework provides a comprehensive set of controls and assessment objectives for protecting controlled unclassified information (CUI). Since CMMC 2.0 aligns with NIST standards, especially 800-171A, defense contractors can get a head start on compliance by:
- Reviewing the 110 security controls in NIST 800-171 and beginning implementation where there are gaps. This establishes security foundations.
- Studying the 320 assessment objectives in 800-171A to understand how CMMC 2.0 readiness will be evaluated. Contractors can perform self-assessments against these objectives.
- Using the CMMC 1.0 model as a reference for mapping controls across cybersecurity domains. Although CMMC 1.0 had 5 maturity levels, it provides a detailed framework for security improvements.
- Comparing CMMC 1.0 domains to the 14 domains in 2.0 to prioritize gap remediation in overlapping areas.
By taking these steps now, defense contractors can align their security policies and controls with NIST standards that underpin CMMC 2.0. This proactive preparation, before CMMC 2.0 finalization, will ease the eventual transition and reduce cost of formal certification. It demonstrates commitment to cyber readiness that the DoD values in a security partner.
Aligning security controls with NIST guidance lays the groundwork for meeting DoD cybersecurity regulations.
Encrypted Data Protection in CMMC 2.0
Preparing for CMMC 2.0 requires a strategic approach to identifying and safeguarding your organization's controlled unclassified information (CUI). Follow these key steps:
- First, conduct a CUI impact assessment across your systems and workflows. Examine the scope, frequency, and purpose of CUI handling to determine your target CMMC level.
- Next, perform a gap analysis to reveal where CUI may be vulnerable. Review how CUI is stored, transmitted, and shared. Pinpoint areas needing improved protection.
- With gaps identified, consult CMMC resources like the OUSD's model overviews for guidance on controls. Their expertise can inform your compliance roadmap.
- A crucial priority is implementing FIPS 140-2 certified encryption to lock down CUI data at rest and in motion. Encryption cost-effectively addresses a major CMMC requirement.
Taking proactive steps gets you on the path to CMMC readiness. However, you need the right partner to provide advanced data protection capabilities as the new standards roll out. Virtru is the leading solution to secure your organization's CUI communications and collaboration.
FedRAMP Authorized Encryption Solution for Your CMMC 2.0 Toolkit
Virtru's NIST-compliant encryption and access controls are purpose-built to enable defense contractors to rapidly fulfill rigorous CMMC encryption equirements. Our intuitive interface allows you to seamlessly implement end-to-end email and file encryption across your workflows.
Virtru goes beyond basic protections to provide persistent visibility and control over CUI, even when shared externally. Our customer-controlled encryption keys and detailed audit logs empower you to maintain compliance as CUI moves across your supply chain.
By deploying Virtru's comprehensive, FedRAMP authorized data protection now, you'll have the cybersecurity foundation to build on and reach CMMC certification at any level. We make the complex requirements simple to implement - and even easy for DoD partners to adopt and implement with you.
To discover more about how Virtru can help you with CMMC 2.0 readiness, book a demo today.
