On November 4, the Department of Defense (DoD) announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, which marks the completion of an internal program assessment led by senior leaders across DoD.

CMMC 2.0 brings about a number of changes which DoD will be pursue through the rulemaking process and will include public comment periods.

Listen to Neal Beggan, a Principal in Cherry Bekaert’s Information Assurance & Cybersecurity Practice, selected as one of the first Provisional Assessors nationwide by the CMMC Accreditation Body, and Eric Poppe, a Managing Director in the Firm’s Government Contractor Services Group, as they discuss DoD’s modifications and their potential impact on contractors and subcontractors in the defense industrial base (DIB).

Changes include:

  • Eliminating levels 2 and 4 of the framework and using National Institute of Standards and Technology (NIST) cybersecurity standards
  • Companies at Level 1, and a subsection of companies at Level 2 will only be required to demonstrate compliance through annual self-assessments
  • Triannual third-party assessments at Level 2 for critical national security information, as well as triannual government-led assessments at Level 3
  • Increase in oversight of professional and ethical standards of third-party assessors
  • New waiver processes for select requirements – DoD indicated:
    •  “Under certain limited circumstances”, companies can make “Plans of Action & Milestones (POA&Ms)” to achieve certification
    • “Under certain limited circumstances”, waivers to CMMC requirements will be allowed

DoD is also suspending the current CMMC pilot program for select contracts and will not approve any CMMC requirements in DoD solicitations while the rulemaking is underway. The Defense Department further indicated that it is looking at providing incentives to contractors who voluntarily obtain certification during the interim period and more information will be forthcoming.

Catch up on Cherry’s Bekaert’s Insights pertaining to CMMC 2.0:


View All Government Contracting Podcasts

 

Neal W. Beggan

Risk Advisory Services

Partner, Cherry Bekaert Advisory LLC

Eric Poppe

Advisory Services

Managing Director, Cherry Bekaert Advisory LLC

Past Episodes

Podcast

November 19, 2024

18:36

Speakers: Lynnette Leidwinger, Brendan Halloran

Explore key subcontracting insights, including compliance reviews, teaming arrangements, and hiring tips for government contractors.

Podcast

November 14, 2024

22:36

Speakers: Michael G. Cippel, Irwin Kaplan

Discover year-end planning essentials for government contractors, including contractor waterfall insights, cash forecasting & monthly performance tracking.

Podcast

November 11, 2024

20:43

Speakers: Sarah McGregor, Brooks E. Nelson, Mark Giallonardo

Learn how to claim disaster losses and defer casualty gains under IRS rules. Explore relief measures for individuals and businesses affected by disasters.