The Future of CMMC 2.0 Compliance

‍

Current Lay of the Land: CMMC 2.0 Compliance

Since its initial release in January 2020, the Cybersecurity Maturity Model Certification (CMMC) has undergone a series of fundamental changes. The changes were recently captured in the US Department of Defense’s (DoD’s) proposed CMMC 2.0 rule, which was published in December 2023 and will have an impact on nearly every DoD contractors and subcontractor.

Despite the fact that the proposed rule is in a public comment period until late February 2024, the key take-away is that CMMC 2.0 continues to move forward. Unfortunately, a few loose ends make it difficult to predict when CMMC 2.0 compliance requirements will be finalized, but here’s what we know so far:

• According to analysis of DoD’s proposed rule, CMMC 2.0 Level 2 assessments will be required as a condition of contract award for all applicable contracts that involve Controlled Unclassified Information (CUI), in Phase 2 of the CMMC implementation process.
• It is further anticipated that CMMC requirements for Levels 1, 2, and 3 will be included in all DoD solicitations on/after October 1, 2026.
• Throughout the CMMC implementation process, you can expect increased scrutiny of your IT Security processes.
• Your company will also need to continuously validate its supply chain security practices.

As they say, the only thing constant is change. So, you need to remember that 2.0 won’t remain stagnant, and you will need to adapt your cybersecurity procedures accordingly. My experience is that average organization could take 12 to 18 months to become CMMC 2.0 compliant, even if it has the required technical skill-sets in place. So, I’ve outlined best practices below that’ll help to get your program started.

‍CMMC 2.0 Compliance: Where to Start

With government regulations evolving rapidly- along with the cyberthreats the regulations are meant to address- it’s easy for an organization to become overwhelmed. But, that doesn’t have to be the case. By following these basic approaches, you’ll be well on your way to complying with key cybersecurity regulations, including CMMC.

Harness Your People Power

It’s important to get your entire organization on board for any changes that you’ll be making. In particular, you need to:

• Develop and get buy-in on the business use case for CMMC from the executive and operational teams. CMMC is an organizational mindset and practice that leads to security and compliance.
• Educate and regularly communicate the role, responsibility, accountability, and impact with your end-users, internal support teams, and your executive team.
• Train your employees in cybersecurity best practices, particularly related to phishing, the risk of using third-party sites, tools, and software code, along with the impact of non-security oriented development processes.
• Get organizational resolve from your teams to improve cybersecurity protection. (You may need to devote extra time to educate potential IT Security detractors that better productivity and more effective cybersecurity can go hand-in-hand).
• Acknowledge and reward desired security-centric behavior.

In other words, you need to develop a security culture. Culture trumps strategy every day of the week and twice on Friday (I’m loosely quoting the famous consultant Peter Drucker here, but you get the point). At base, your corporate strategy and culture need to be aligned. They will drive your communication, education and training, and organizational resolve.

Implement Technology Best Practices

Here, rather than implementing a large number of point solutions, you want technology to work with you rather than against you. As such, you need to:

• Assess your IT Security status over time in the following areas: hardware security, software security, technical configurations, and IT assets.
• Focus on implementing the hardware controls that’ll have the most short-term (and long-term) impact in reducing your attack surface and risk to the organization.
• Avoid jumping to the end solution: For example, you need to review your entire application security process before pursuing a specific IT solution that is promised to meet all of your security needs. As legendary software engineer Fred Brooks  often lamented, there is no “Silver Bullet”  in software engineering. That rings true for cybersecurity as well.

Instead, focus on manageable implementation of security best practices that integrate with current solutions (with an eye for the future) and generate the best ROI for the business’ operations, as well as for your IT and security teams.

Improve Your IT Security Processes

Plain and simple, people and technology can’t be effective without sound IT Security processes. Recommended steps include the following:

• As with any successful plan, prioritize what steps you need to take to attain your goals and regularly track your progress.
• Determine when and how you will achieve your required IT Security standards.
• Monitor and update your compliance efforts as threat vectors, technology, and regulations change.
• Engage a trusted third party to help with your journey. This can often save you considerable time and enable you to benefit from the third-party provider’s experience with other clients and industries.  

Remember that you can’t boil the ocean, but you can focus on strategic projects that may have the biggest impact. Align your security objectives with business opportunities. You need to make IT security a competitive advantage and don’t hesitate to leverage help internally and externally.

Learn More

To learn more about the proposed DoD rule, watch and share the webinar replay below. The webinar will be available on replay after the live session.

‍