The Double-edged Sword of CMMC 2.0


Reading time ( words)

For the past few years, those whose SMT provider organizations supply or contract with the U.S. Department of Defense (DoD) have been hearing about—or even gearing up for—implementation of the Cybersecurity Maturity Model Certification (CMMC) program. By this, I mean that you were gearing up for CMMC 1.0. Today, we have CMMC 2.0, and there are several changes in the new version that impact both the standards for compliance and how you certify that compliance—especially if you run a small business. 

Small businesses are the backbone of the defense industrial base (DIB), just as they are for the entire economy. As both patriots and businesspeople, I’m sure most contractors serving the DoD support the goals of the CMMC program: ensuring the security of sensitive data up and down the supply chain. I’m also certain that the CMMC 1.0 rules, which went into effect in November 2020, caused more than a little stress and anxiety for smaller contractors. Why? Because CMMC 1.0 required contractors to undergo an examination by a Certified Third-Party Assessment Organization (C3PAO) to become certified. 

When it became clear that the burden CMMC 1.0 placed on small contractors was significant enough to potentially force some out of the DIB, the DoD hit pause on the CMMC program. In fact, the official in charge of the CMMC’s implementation came out and said one of the main goals of revising the program was to decrease the cost burden on small businesses. As a result, the DoD scrapped CMMC 1.0 and announced CMMC 2.0 in November 2021. The full 2.0 framework is expected to be released sometime next year.

But don’t make the mistake of thinking the government will kick the CMMC can down the road once again when 2023 rolls around. I fully expect CMMC 2.0 to come online when the rules are final. 

At a high level, the two major changes that will likely affect you are the new tiers of security and the shift to annual self-attestation of compliance.

The original CMMC defined five levels of security. CMMC 2.0 has three:

  1. Foundational 
  2. Advanced 
  3. Expert  

For most of you, the newly collapsed levels won’t change the practical compliance requirements. This is good news. Most contracts will fall into Level 1, so any work you have done to this point to achieve Level 1 compliance under CMMC 1.0 has not been wasted. The new framework relies on the same 17 baseline security controls used in the prior version—more on those controls in a moment. 

The key distinction between Level 1 and Level 2 under CMMC 2.0 has to do with the type of information you handle. Level 1 focuses on securing federal contract information (FCI), for which there are no national security concerns. The bar for Level 1 is not set very high— it is essentially developing and maintaining good baseline cybersecurity policies and procedures. In my view, this is something any company should do; it’s just a good business practice. 

To read this entire article, which appeared in the June 2022 issue of SMT007 Magazine, click here.

Share




Suggested Items

Time to Go ‘Exploring’ at SMTA International

10/19/2022 | SMTA
Students, Young Professionals and Industry Newcomers will have a unique way to network with subject matter experts at SMTA International 2022 in a fun and non-threatening way. “Passport to the World of SMT” is designed to assist “Explorers” in making connections with exhibitors during part of the annual the trade show in Minneapolis.

Women’s Leadership Program: Technology Innovations and Career Advancement

10/12/2022 | Priyanka Dobriyal, Intel Corp.
While planning the theme for the 2022 Women’s Leadership Program (WLP) at SMTA International, we discussed the idea of skills as tools in your toolbox. We brainstormed on how to bring this idea to reality and enable women colleagues to advance their careers. We realized that taking the time to reflect on the skills you have in your toolbox makes you self-aware and recognize your self-worth. Knowing what you bring to the table helps you build the confidence you need to navigate your career. In this article, we detail the Women's Leadership Program, its speakers, and what you gain by attending.

It’s an Exciting Time in Electronics

10/06/2022 | Sal Sparacino, SMTA
SMTA International is just around the corner, and we are excited to be meeting fully in person and onsite. The conference and expo runs from Monday, Oct. 31 through Thursday, Nov. 3, returning to the Minneapolis Convention Center. Once again, we will co-locate with Medical Design & Manufacturing Minneapolis 2022 (MD&M). As the world continues to adjust to the new normal following nearly years of the pandemic, an in-person industry conference and exhibition is more valuable than ever.



Copyright © 2022 I-Connect007 | IPC Publishing Group Inc. All rights reserved.