Riding the Department of Defense Compliance Roller Coaster
There are many quotes about the importance of “staying the course.” As we look toward the latest CMMC 2.0 announcement from the Department of Defense (DoD), these words ring true. Since 2016, Security Vitals has helped organizations address DoD compliance requirements, and it’s been an eventful journey. First was NIST 800-171; most manufacturers face an uphill climb trying to adopt the required cyber security principles. One of the limitations of this compliance framework is the “one size fits all” approach that has universal requirements for any organization dealing with Controlled Unclassified Information (CUI).
Next came CMMC 1.0, a focused approach that hoped to address the scale shortcomings of 800-171. As such, organizations had five different levels of compliance dictated by the type of data they received. This new standard also increased the procedural requirements for implementing, maintaining, and validating ongoing compliance. Over time CMMC 1.0 morphed into 1.02, and there were ongoing discussions about further changes.
Over the past year, the dynamic state of CMMC requirements made it challenging to plan and execute compliance resources. As a company that provides guidance and manages compliance programs for firms required to meet CMMC requirements, our team monitored the changes and ultimately advised customers to stay focused on the 800-171 requirements. As it turns out, this was good advice since the latest announcement for CMMC 2.0 includes more significant changes.
Making Sense of CMMC 2.0
In early November, the DoD released a list of proposed changes to the CMMC framework, dubbing it the “2.0” version. While this draft version promises to simplify many areas of the compliance roadmap, it’s important to note that they will not reach the final state for another 9-24 months. So, where does this leave companies committed to ultimately meeting the compliance requirements?
Staying the course is an excellent plan for now. Our team recommends continuing down the NIST 800-171 path to provide the foundational components necessary to meet evolving CMMC requirements. In fact, the proposed changes for 2.0 revert to core components outlined in 800-171 like the Plan of Action with a milestone (POAM). It also reduces the number of compliance levels from five to three, further simplifying the path to compliance. Other potential changes in CMMC 2.0 bring into question the requirement to complete a formal audit and offer the potential for self-attestation as the mechanism for reporting compliance status.
No one can argue the importance of protecting DoD data, and companies that take a measured, consistent approach to compliance will benefit from continued contracts and improved security.