In July 2023, the U.S. Defense Department forwarded its strategy for the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework to the Office of Management and Budget (OMB) for evaluation. The move initiated the long-awaited rulemaking phase for CMMC 2.0.
OIRA (The Office of Information and Regulatory Affairs, a subset of OMB) was slated to conclude its review of the CMMC regulation within 90 days after its submission in July. This timeline would have marked October on the calendar for a decision. Now in November 2023, anticipation is high as we await further developments.
According to MeriTalk, November/December was floated as a possible decision timeframe at the Billington Cybersecurity Summit. But we can’t say anything for sure.
The review process is building toward a pivotal decision by the OIRA to publish CMMC 2.0 as a proposed rule or enact it as an interim final rule. Here’s an overview of what to expect in either scenario.
The most likely of the two outcomes, a proposed rule from OIRA means that CMMC 2.0 will be released for public comment for a 60-day stretch of time. But it wouldn’t end there. It’s widely known that the proposed rule cycle can take upwards of a year to reach final rule status, possibly cementing CMMC 2.0 into law in late 2024 or even 2025.
If released as an interim final rule, the CMMC 2.0 could become active within 30 days, speeding up its enforcement. This is a much less likely scenario given the complexity and scale of CMMC 2.0.
Finalization will mean that CMMC accreditation is mandatory for contractors dealing with any CUI. Lack of certification could lead to forfeiture of DoD contracts and difficulty procuring them in the future. Adapting to CMMC will mean defense contractors must allocate funds to enhance their cybersecurity measures to align with DoD criteria, incurring further compliance expenses.
You may recall CMMC was rolled out in 2020 as a rigorous cybersecurity framework with 5 levels of compliance for defense contractors handling sensitive data. After industry feedback, the streamlined CMMC 2.0 emerged in 2021:
CMMC 2.0 takes cues from the NIST cybersecurity framework (NIST 800-171 through NIST 800-172), which provides guidance on protecting the confidentiality of controlled unclassified information (CUI) in nonfederal systems and organizations.
The NIST 800-171 cybersecurity framework provides a comprehensive set of controls and assessment objectives for protecting controlled unclassified information (CUI). Since CMMC 2.0 aligns with NIST standards, especially 800-171A, defense contractors can get a head start on compliance by:
By taking these steps now, defense contractors can align their security policies and controls with NIST standards that underpin CMMC 2.0. This proactive preparation, before CMMC 2.0 finalization, will ease the eventual transition and reduce cost of formal certification. It demonstrates commitment to cyber readiness that the DoD values in a security partner.
Aligning security controls with NIST guidance lays the groundwork for meeting DoD cybersecurity regulations.
Preparing for CMMC 2.0 requires a strategic approach to identifying and safeguarding your organization's controlled unclassified information (CUI). Follow these key steps:
Taking proactive steps gets you on the path to CMMC readiness. However, you need the right partner to provide advanced data protection capabilities as the new standards roll out. Virtru is the leading solution to secure your organization's CUI communications and collaboration.
Virtru's NIST-compliant encryption and access controls are purpose-built to enable defense contractors to rapidly fulfill rigorous CMMC encryption equirements. Our intuitive interface allows you to seamlessly implement end-to-end email and file encryption across your workflows.
Virtru goes beyond basic protections to provide persistent visibility and control over CUI, even when shared externally. Our customer-controlled encryption keys and detailed audit logs empower you to maintain compliance as CUI moves across your supply chain.
By deploying Virtru's comprehensive, FedRAMP authorized data protection now, you'll have the cybersecurity foundation to build on and reach CMMC certification at any level. We make the complex requirements simple to implement - and even easy for DoD partners to adopt and implement with you.
To discover more about how Virtru can help you with CMMC 2.0 readiness, book a demo today.