The final Cyber AB Town Hall 2024 took place this past November delivering some big updates on the Cybersecurity Maturity Model Certification (CMMC) program, and if you’re part of the Defense Industrial Base (DIB), you’ll want to take note. From the transition to CMMC 2.0 to practical steps for certification, the session offered valuable insights for anyone navigating compliance.
Here’s what stood out:
The Road Ahead: A Phased Roll Out to CMMC 2.0
As we highlighted in our “The CMMC Program Rule is Final: What it Means for Defense Contractors” blog post, CMMC 2.0 is rolling out in phases. The phased approach ensures organizations aren’t overwhelmed while still pushing toward better cybersecurity practices: Here’s a quick look:
- Phase 1: Focus on self-assessments for Levels 1 and 2, starting with new solicitations.
- Phase 2: Certified Level 2 assessments will be required after 12 months.
- Phase 3: Level 3 certifications will be introduced, expanding requirements another year later.
- Phase 4: Full implementation within 36 months, making CMMC mandatory for all applicable contracts.
These requirements may be implemented earlier for some procurements, so staying proactive is critical.
What You Need to Know About Assessments
Dana Mason from the CMMC PMO broke down the assessment process, and there’s a lot to unpack.
- Choose Your Path: Depending on the type of data you handle, you might need a self-assessment (mainly for Level 1), a third-party (C3PAO) assessment, or a DIBCAC audit (Levels 2 and 3).
- Scoring Matters: For Level 2, the score ranges from -203 to 110, with a passing score minimum of 88. Watch for common pitfalls like gaps in:
- Multi-Factor Authentication (MFA): Points are deducted if not implemented for privileged, remote, or general users.
- FIPS-compliant encryption: Non-compliance results in significant score reductions.
- Don’t Procrastinate on POAMs:
Plans of Action and Milestones are allowed in certain cases, but you have 180 days to close them out, or you risk losing your certification.
Cloud Providers and Subcontractors: Don’t Forget Them
FedRAMP Authorization: A must for any cloud service handling CUI.
Subcontractor Flow-Down Requirements: Compliance doesn’t stop at the prime contractor, subcontractors must meet applicable standards, too.
If you’re leveraging cloud solutions, ensure they meet these stringent requirements to avoid potential roadblocks.
Congressional Oversight and Ecosystem Support
Matt Travis addressed the ongoing congressional review process, emphasizing the importance of industry-wide alignment as CMMC gains legislative traction. The role of key stakeholders was also discussed:
- DoD CMMC PMO: Oversees the program’s execution and policy updates.
- Cyber AB: Accredits and monitors C3PAOs while maintaining program standards.
- C3PAOs and Assessors: Conduct independent evaluations and issue certifications.
Need Help? Resources Are Available
One of the highlights of the Town Hall was the announcement of new workshops and training opportunities. Whether you’re just starting out or trying to iron out the details, there are tools and resources out there to help:
- Check out DIBNet and CISA for free cybersecurity resources.
- Look into training for CMMC eMASS to streamline your certification process.
- Keep an eye on regional workshops to get direct support from the Cyber AB and CMMC PMO teams.
What Does This All Mean for You?
If you’re a defense contractor, this is your chance to get ahead. Take the time now to assess your gaps, strengthen your security practices, and line up the right partners to help you succeed. Whether it’s tackling self-assessments or prepping for a certified audit, being proactive will save you stress (and protect your contracts) down the road.
We know compliance can feel overwhelming, but it doesn’t have to be. Our Tesseract solution is designed to simplify the process with expert-led, affordable, and comprehensive support. Whether you’re tackling CMMC for the first time or looking for ways to maintain compliance long-term, we’re here to help.
Ready to learn more? Book a free trial of Tesseract today to see how we can make compliance work for you.
