The Department of Defense’s Cybersecurity Maturity Model Certification program is a set of cybersecurity standards created in 2019 to fortify the Defense Industrial Base against the increasing threat of cyberattacks and protect sensitive, unclassified information shared by the DOD and its contractors.
CMMC incorporates these cybersecurity standards into the Defense Department’s acquisition programs to ensure that contractors and subcontractors are trusted and secure. However, in the three years since its inception, the program has undergone multiple reorganization efforts and updates, posing obstacles to companies looking to achieve compliance.
The program’s latest update, CMMC 2.0, was released in November 2021, following an internal review sparked by over 800 public comments on the program’s initial release. The updated framework clarifies policy, simplifies standards, reduces associated costs and gives contractors more time to comply with the new requirements.
“This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage,” Sherman said of CMMC 2.0.
However, although the updated framework allows contractors more time to comply, CMMC officials are urging companies to pursue their certification early.
“Don’t wait for this to be a requirement in your contract,” said Matthew Travis, CEO of the CMMC Accreditation Body. “Go ahead, engage in CMMC and get certified.”
To learn more about the implications of CMMC 2.0 and the future of the program, join the 2022 CMMC Forum hosted by the Potomac Officers Club on May 18.