The Future of CMMC 2.0 Compliance

‍

Current Lay of the Land: CMMC 2.0 Compliance

Since its initial release in January 2020, the Cybersecurity Maturity Model Certification (CMMC) has undergone a series of fundamental changes. In particular, the US Department of Defense (DoD) transitioned from five planned compliance levels for CMMC 1.0 compliance to three required levels for CMMC 2.0 compliance. Coinciding with that change, more DoD contractors have become empowered to perform CMMC 2.0 self-assessments.

Despite the transition to CMMC 2.0 in November 2021, there are still some loose ends for CMMC that will become clearer with time. Unfortunately, the loose ends also make it difficult to predict where CMMC 2.0 compliance requirements are ultimately headed.

But, as I shared in a recent webinar, the following situations are likely to occur:

• CMMC 2.0 certification verbiage will be formally added to DoD contracts.

• Over time, contract modifications can be expected, with contracts making specific reference to CMMC 2.0.

• CMMC 2.0 compliance audits can be anticipated. In other words, the DoD will be “checking your company’s work. ”

• You can expect increased scrutiny of your IT Security processes.

• Your company will need to validate its supply chain security practices.

• As they say, the only thing constant is change. So, you need to remember that 2.0 won’t remain stagnant, and you will need to adapt your cybersecurity procedures accordingly.

CMMC 2.0 Compliance: Where to Start

With government regulations evolving rapidly-along with the cyberthreats the regulations are meant to address- it’s easy for an organization to become overwhelmed. But, that doesn’t have to be the case. By following these basic approaches, you’ll be well on your way to complying with key cybersecurity regulations, including CMMC.

Harness Your People Power

It’s important to get your entire organization on board for any changes that you’ll be making. In particular, you need to:

• Educate and regularly communicate with your end-users and your executive team.

• Train your employees in cybersecurity best practices, particularly related to phishing and usage of third-party sites.

• Get organizational resolve from your teams to improve cybersecurity protection. (You may need to devote extra time to educate potential IT Security detractors that better productivity and more effective cybersecurity can go hand-in-hand).

In other words, you need to develop a security culture. Culture trumps strategy every day of the week and twice on Friday (I’m not quite quoting the famous consultant Peter Drucker here, but you get the point). At base, your corporate strategy and culture need to be aligned. They will drive your communication, education and training, and organizational resolve.

Implement Technology Best Practices

Here, rather than implementing a large number of point solutions, you want technology to work with you rather than against you. As such, you need to:

• Assess your IT Security status over time in the following areas: hardware security, software security, technical configurations, and IT assets.

• Focus on implementing the hardware controls that’ll have the most short-term (and long-term) impact.

• Avoid jumping to the end solution: For example, you need to review your entire application security process before pursuing a specific IT solution that is promised to meet all of your security needs.

Instead, focus on manageable implementation of security best practices that integrate with current solutions (with an eye for the future) and generate the best ROI for the business’ operations, as well as for your IT and security teams.

Improve Your IT Security Processes

Plain and simple, people and technology can’t be effective without sound IT Security processes. Recommended steps include the following:

• As with any successful plan, prioritize what steps you need to take to attain your goals and regularly track your progress.

• Determine when and how you will achieve your required IT Security standards.

• Monitor and update your compliance efforts as threat vectors, technology, and regulations change.

• Engage a trusted third party to help with your journey. This can often save you considerable time and enable you to benefit from the third-party provider’s experience with other clients and industries.  

Remember that you can’t boil the ocean, but you can focus on strategic projects that may have the biggest impact. Align your security objectives with business opportunities. You need to make IT security a competitive advantage and do not hesitate to leverage help internally and externally.

Learn More

To learn more, watch and share the webinar replay below.

‍