CMMC 2.0 Update for Government Contractors

On November 4th, the Department of Defense (DoD) announced an enhanced “CMMC 2.0” program which will maintain the program’s original goal of strengthening cybersecurity and protecting sensitive data.

In this timely video update, Wendy Terry and Michael Seip review key considerations and discuss:

Note: The DoD is in the process of rolling out the CMMC 2.0 model and updating program details. Stay tuned for more developments and changes.

This video was transcribed through a third-party application. Please disregard any misrepresentations.

Wendy Terry (00:03): Good afternoon everyone. My name is Wendy Terry and I am the practice leader for our government contracting practice here at Withum. I’m very pleased today to have Michael Seip here with me to talk a little bit about CMMC and the changes that we’ve encountered recently. Mike, thanks for joining. Would you just tell our audience a little bit about yourself?

Michael Seip (00:33): Sure. Thanks, Wendy. It’s great to be here. I’m the wireless and mobile technologies and security lead for Withum cyber for our cyber and information security group. And I also head up the CMMC compliance team here at Withum and do a lot of information security advisory and penetration testing, security assessments and the like, so CMMC is keeping us all busy these days.

Wendy Terry (01:03): That it is. So I just thought it would be a good start to just give us some background on, you know, not even just recently, but in the last few months, the change from CMMC 1.0 to 2.0 happened. And I thought maybe you could just give us a little bit of an overview of what was that change and how did it impact our contractors?

Michael Seip (01:30): That’s a good question. And yes, the latter part of 2021, in fact end of November, the Department of Defense took over the CMMC program proper and they transitioned. It was called CMMC 2.0 as the tagline. And the big changes were driven mostly by small business concerns. But the main takeaways are that it went to what was five levels to three levels. And in addition to that requirement, which was the real driving force behind it, the requirement for a universal third party, independent assessment was dropped from levels one, two, and three across the board. And it was the small businesses who are now level one will remain doing a self test or a self certification, much like they do nowadays with the N certification.

Wendy Terry (02:34): So you talked a little bit about how the small businesses drove the decision to change from 1.0 to 2.0. Can you describe a little bit what it means in the 2.0, that it says that they have to have a current assessment? What exactly does that mean?

Michael Seip (02:55): The letter of the instructions by saying the term “current” simply implies that what’s generally regarded as within the past 12 months or last fiscal year, that the organization has either a security assessment, a penetration test or at a minimum of vulnerability scan. There’s no hard and fast definition of current as defined by the DoD presently, but to play it safe. And the way we are advising our clients is that to at a minimum, have ideally a penetration test and a security assessment, but of all scanning also would satisfy.

Wendy Terry (03:40): So you also mentioned that the levels changed and now level one is a self-assessment. Can you describe for me a little bit about what is a self-assessment, what evidence is provided in a self-assessment and how can we help clients with a self-assessment?

Michael Seip (04:01): Sure. As it stands now, and as it has previously been performed and required, small and medium businesses that meet the small size standard as defined on a contract-to-contract basis do in lieu of having an independent assessment of their cybersecurity and their security posture in general, they will self-attest. And what they attest to is that they are in compliance with NIST and specifically the instructions of NIST 801-171. That will continue in CMMC 2.0. The new CMMC level one is federal contract information specific, but it continues the requirement that the contractor is self-certified. And so there’s a checklist.

The materials are through the Department of Defense and under secretary of defense. Withum has some for our clients and any curious parties, you can go to withum.com, follow the links to CMMC, which I believe will attach to the end of this session. And it can steer you to the appropriate paperwork to self-certify.

The main difference in what drove the change in CMMC 2.0 is that small businesses were perhaps justifiably concerned that there was going be an undue burden placed upon them to go out and seek an independent assessor to do all the preparation and work that comes along with that for company’s, thousands of which in the defense industrial base are one or two people effectively sole proprietorships. That’s a difficult standard to meet. And what we recommend is that any individual, any contractor who is subject to CMMC level one, if nothing else be thoroughly familiar with the new requirements, the information is available on the web like I just said. But if you have more than four to five staff and more than one contract, primarily that you’re working, it would be a smart move to talk to us or talk to at least someone to help with preparation activity for CMMC and compliance. And we can help in that respect.

Wendy Terry (07:01): Thanks, Mike. I think that I’ll just add that I think a lot of people are going to benefit from this information because primarily, you know, a lot of previously compliant people really didn’t, they just assumed they were self-assessing. I think that they’re now all the third-party assessors that are going to be in place. I think there’ll be more compliance and heightened regulation over this compliance. So appreciate your thoughts on it. And again, if you would like additional information, please reach out to Mike or myself at withum.com. We’ll be happy to give you as much information that we have at this point. And also if you need additional services, we could certainly direct you to one of our specialists. So thanks again, Mike, for your time. And I look forward to catching up again.

Michael Seip (08:02): Thanks, Wendy. I appreciate it.