CMMC 2.0 Implementation Could Take Up Two Years, Official Says
The revamped version of the Department of Defense Cybersecurity Maturity Model Certification could take as much as two years before taking effect, the head of the program said.
Speaking at a town hall meeting, Buddy Dees, director of CMMC within the office of the undersecretary for acquisition and sustainment, said the rulemaking process for the new cybersecurity standards needs to be formalized first, a step that could take between nine and 24 months to complete.
Until then, the DOD is suspending CMMC pilots and will not require certifications as part of any contract, Federal News Network reported.
In the meantime, the department is seeking companies that are willing to be assessed voluntarily for CMMC Level 2 certification. According to Dees, the DOD is considering providing incentives for volunteers.
CMMC 2.0, which was announced on Nov. 4, reduced the number of cybersecurity maturity levels that contractors have to comply with from five to three.
The revised program allows companies to conduct annual self-assessments for level 1 certification. David McKeown, the DOD’s deputy chief information officer for cybersecurity, told attendees at the town hall meeting that 140,000 contractors fall under the foundational level.
The majority of contractors under level 2 will have to undergo triannual assessments by CMMC third-party assessment organizations but some will be cleared to conduct self-assessments. McKeown estimates that only 40,000 companies will be assessed by C3PAOs.
Lastly, he said roughly 500 companies categorized under level 3 will be audited by an internal DOD division.
Despite expressing support for CMMC 2.0, Matthew Travis, CEO of the CMMC Accreditation Body, warned that the simplification of the contractor requirements could collapse the market of cybersecurity assessors. Travis said McKeown’s estimate is too low and could cause a shortage in demand for assessors.
Tags: Buddy Dees CMMC cybersecurity cybersecurity requirements David McKeown Department of Defense federal contractors Federal News Network Matthew Travis Pentagon