Navigating the Confusing Compliance Environment of the DoD’s CMMC 2.0

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Matthew Hodson of Valeo Networks lays out a clear path to more easily navigate the DoD’s CMMC 2.0 program.

First, the bad news.

Although the Department of Defense (DoD) has simplified the original version of its Cybersecurity Maturity Model Certification (CMMC), version 2.0 of the program still leaves a lot of contractors’ questions unanswered. But the good news is that the DoD is clearly trying to make the compliance process less complicated. And with the proper guidance, your company can get there– even if you’re not cybersecurity experts.

Widget not in any sidebars

CMMC 2.0: Navigating Through the Confusion

The Challenges of CMMC 1.0

Whether buying advanced weapons, furniture, or catering services, the DoD will often have to share with those contractors what’s known as Controlled Unclassified Information (CUI)– data that’s not top secret but needs to be kept confidential and safeguarded from hackers.

To make sure that any vendor required to handle CUI would be capable of keeping that data secure, the government launched CMMC in 2020. The program established cybersecurity standards that contractors would need to meet — and demonstrate through third-party assessment — before they could apply for contracts. Even longtime DoD vendors would need to go through this certification.

But when the government introduced CMMC 1.0, Defense Industrial Base (DIB) companies began citing challenges with it almost immediately. For example:

• Contractors were confused by the five levels of certification and unsure which levels they’d need to reach to qualify for specific types of DoD contracts.
• The assessment process was confusing, and many contractors weren’t sure which third-party consultant’s evaluations the government would accept.
• Contractors complained that the numerous steps needed to reach even the lower certification levels made the process cost-prohibitive for their businesses.

Based on this feedback — which the government’s CMMC website explains included more than 850 public comments — the DoD acted quickly, announcing a streamlined CMMC 2.0 just over a year after the original program’s rollout.

CMMC Certification: Complicated But Achievable

So, does CMMC 2.0 solve all of the challenges DIB companies faced with version 1.0? Not exactly. Here’s what’s changing with the new program:

1. Fewer levels: Streamlining the program from CMMC 1.0’s five levels down to three was designed to make it easier for contractors to determine where on the cybersecurity hierarchy their contracts will require them to be.
2. Self-assessments: For certification to levels one and two, a contractor can now undergo a self-assessment process and affirm its compliance with the DoD’s security standards. (Level three still requires evaluation by a qualified third party.)
3. Plans of Action and Milestones are allowed: Where CMMC 1.0 required businesses to complete the certification process before applying for contracts, DIB companies, in some cases, will now be allowed to begin competing for DoD business after submitting Plans of Action and Milestones (POAM) for achieving compliance. (They will then need to complete those plans within a several-month grace period.)

Although clearly a step in the right direction, the DoD’s updated certification program still leaves many contractors confused. Here are just some of the open questions:

• How does a contractor determine which of the three certification levels to aim for? Some experts say level one should suffice for businesses that won’t need to handle and store much CUI, but others argue that level two could be the minimum required to remain competitive for most future contracts.
• Is providing a self-assessment that claims compliance riskier than working with a third-party evaluator? After all, the company’s senior executives will be held accountable for those claims. What will the penalties be if a DoD review later disagrees with the company’s compliance claim?
• Should a DIB company that wants to become eligible for CUI-intensive contracts take the POAM option rather than waiting to complete the CMMC certification? That could lead to contractors sooner– but what happens if the business fails to complete the process in the allowed grace period? Could that result in the loss of a contract and a damaged reputation with the DoD?

Given these (and the many other) open questions, what should a DIB company do– particularly a non-technical DIB company with little expertise in cybersecurity or other data management best practices?

How to Streamline Your CMMC Certification

The DoD should be commended for actively seeking feedback from the DIB community after the launch of CMMC 1.0, acting quickly on that feedback to develop the streamlined 2.0, and ensuring the new version of the program addresses contractors’ key concerns.

In a Defense Department statement on CMMC 2.0, Deputy Assistant Secretary for Industrial Policy Jesse Salazar said, “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.” It’s encouraging to see the DoD’s senior officials working to make it easier for businesses like yours to achieve compliance with these cybersecurity requirements. But if your company isn’t in the IT or data management business, choosing correctly which of the three certification levels to aim for probably won’t be much easier than finding the right level among the original five. Nor will completing an accurate self-assessment of your company’s compliance with CMMC 2.0.

So, my recommendation is to work with a CMMC expert, such as a Managed Security Service Provider (MSSP) that specializes in helping government contractors cross the cybersecurity-compliance finish line. Yes, earning CMMC 2.0 certification is still a somewhat complicated undertaking. But you can make the process much quicker and less painful by partnering with a third-party firm that has done it for dozens of other DIB companies– companies now enjoying lucrative DoD contracts themselves.

Widget not in any sidebars