CMMC 2.0 Will Allow for Flexible Contractor Security Assessments
CMMC 2.0 will also reduce costs for contractors, allowing certain companies to demonstrate compliance through self-assessments rather than third-party assessments, Fowler says.
The rule will allow for flexible implementation of reliable assessments to address its predecessor’s shortcomings and has been designed to achieve the DOD’s goals.
“These include safeguarding sensitive information, enforcing cybersecurity standards, ensuring accountability, fostering a collaborative culture and maintaining public trust," says Adam Marrè, CISO at Arctic Wolf. “Complying with CMMC requires a cohesive security strategy that incorporates diverse solutions like compliance platforms, encrypted assets, data backups and monitoring tools to address vulnerabilities.”
Making the decision to keep a CMMC program in-house should not be taken lightly, Marrè adds.
“Failing the third-party CMMC 2.0 audit on the first attempt may result in needing to correct security shortcomings and facing a potential backlog of audits before receiving a second opportunity,” Marrè says.
CMMC originally made it challenging for small and midsize organizations due to the cost and resource requirements involved in the certification process, which required assessments executed by a third party.“In 2.0 they can self-assess annually for Level 1 and in certain instances for Level 2," says Antonio Sanchez, principal evangelist at Fortra. “This allows them to be more competitive and provides a much larger pool of contractors to deliver products and services.”