How to Prepare for CMMC 2.0: the Newest DOD Cybersecurity Standard

How Agencies and Industry Are Preparing for CMMC 2.0

One of the first steps to meeting these new standards for members of the defense industrial base is creating a roadmap measuring where they are and where they need to go. That means both informal and formal assessments to see what kind of new policies and technology are needed.

Contractors that don’t handle information critical to national security will need to hold annual self-assessments to show how they are strengthening their cybersecurity practices as part of the new model. For those companies that do handle critical information, they will need to undergo an assessment from a CMMC third-party assessment organization.

Finally, those firms that work on the most critical programs — including some of the nation’s largest prime contractors — will face government-led assessments to track where they are and what gaps remain.

“What a lot of organizations are doing is really showing: This is the maturity that we plan on growing by, this is the deadline that we plan on meeting, this is what we’re going to do to correct any kind of faults that we have or any kind of weaknesses or any kind of missing areas,” says Christopher Fielder, field CTO at Arctic Wolf, a security monitoring company.

As part of this process, companies are looking to ensure that they have the technology in place to follow zero-trust philosophies championed by the Pentagon. That includes multifactor authentication, encryption and data loss prevention tools, Fielder says. CMMC also stresses the ability to limit information to authorized users and managing physical devices such as USB keys.

Resourcing Your CMMC 2.0 Transition

Security has never come without a cost, and that includes the expected changes to CMMC. DOD’s chief IT office has said costs will depend on the CMMC level a company requires, the complexity of its unclassified network and market forces.

“Resources immediately translate to dollars and people, and we are seeing both,” says Kris Lahiri, chief security officer at Egnyte, which focuses on cloud-based security. “There is a little bit of a sticker shock, for sure.”

Firms are now hiring consultants and subject matter experts to help them navigate the new rules and assessments, Lahiri says. For example, Amazon Web Services has trained consultants who are able to support customers with CMMC compliance challenges.

Any additional expenses must be weighed against the potential cost of not winning a contract or not being eligible for one due to noncompliance, experts say.

CMMC 2.0 has also sparked more hiring for employees who can help vendors meet the new standards without further stretching already busy IT teams.

Those employees “still have to do their day-to-day security, make sure that they’re not hit, because if they are compromised, that could be the end of that contract,” Fielder says.

In addition, new technology or training can also add to the price tag of compliance.

DISCOVER: Learn how agencies are bridging the civilian-defense compliance divide.

Partnerships Are Key to Protecting Controlled Unclassified Information

One of the pillars of the Pentagon’s cybersecurity philosophy, and consequently of CMMC, is better protection of a layer of information known as controlled unclassified information. That designation is reserved for sensitive information the government creates, or industry creates for government, that does not meet the criteria for classification but must still be protected with safeguarding controls.

Partnerships can help contractors track and report who has access to CUI, parts of which are unstructured content and may be stored in, say, scanned documents.

“We are seeing that just identifying CUI itself is important,” Lahiri says. “We shouldn’t just assume that a company that has been doing this type of work just knows where all their CUI data is. That’s where this partnership of working with companies such as Egnyte or others can help.”

Using the CUI classification, agencies and industry partners can share key information to ward off cyberattacks.

“This is something you can’t really do at that top-secret level, but partnerships can help share threat intel with you, you can share some threat intel with them, they can help you develop incident response plans and you can work together on developing what you’re going to do if this data is hit,” Fielder says. “So, there is more of a sharing of ideas, a sharing of technology.”

RELATED: See why tech partnerships are the intelligence community’s priority.

When Will CMMC 2.0 Assessments and Certifications Begin?

Analysts expect CMMC 2.0 to be codified by the end of fiscal 2024 and to appear in contract solicitations in October 2025. While that may feel far away, much work remains.

“We’ve got a little bit of time here, but it’s really important for anyone who’s going to play in this area that you need to be working hard on this,” Fielder says.

Company leaders must know that CMMC is not “just another compliance standard,” Fielder says. “We’ve met it before. We can kind of work around it, or they’ll give us time. But security is not a game anymore.”

Egnyte has been telling customers they should be ready to have external assessments by mid 2025.

“2025 is definitely the year that the DOD starts to require people to show what they are doing,” Lahiri says. “There are all kinds of projections on by when this will fully be required, but we are telling our customers to treat 2025 as a real deadline.”