On November 4, The Department of Defense (DoD) announced changes to the Cybersecurity Maturity Model Certification (CMMC) framework, calling it CMMC 2.0.
Significant updates were made to the CMMC infrastructure, but overall CMMC 2.0 simplifies the standard. The DoD also expressed it’s support of the CMMC Accreditation Body (CMMC-AB), with the CMMC-AB echoing the direction of the proposed changes. The changes to the CMMC technical standard removes two levels (CMMC 1.0 Levels 2 and 4) from the maturity model framework and designates CMMC Level 1 as a self-attestation by the C-suite requirement only. Level 2 will require a mix of self-attestation and third party assessment, as needed based on contract requirements; and Level 3 is reserved for only the highest priority programs, requiring a Government-based assessment. Self-attestations will have a minimum score, with the ability to remediate through a Plan of Action and Milestones (POAM) within a maximum of 180 days.
Still maintaining the program’s original goal of safeguarding sensitive information, CMMC 2.0 standards will not become a contract requirement until final rule making is completed; which the DoD anticipates to take 9-24 months. In lieu of these changes, Edwards will continue to offer the valuable CCP classes, with added concentration on 800-171 and continuing the original focus on CUI, Data Governance, CMMC Ethics, The CMMC Assessment Process, Scoping, and more. As a matter of fact, about 95% of the current CCP content remains accurate! The small “delta training” required to prepare a student to sit for the exam, will be provided directly by CMMC-AB once participation in a CMMC-AB approved CCP training, from a LTP, has been completed. That’s right – you have no risk or additional financial obligations by signing up for the CCP now.
The intention of the CCP is to provide the foundational knowledge to assist with internal InfoSec/IT roles preparing their organization for self-assessment or third-party assessment; for the consultants (MSP’s, RPO’s, etc.) to guide their clients to appropriate readiness, and as a critical starting point for candidate assessors. This has not changed with CMMC 2.0, and the content of the CCP curricula is extremely focused and valuable in reference to CMMC 2.0. Additionally, Edwards’ students are automatically enrolled in a free weekly study group focused on disseminating and understanding ongoing updates to the CMMC 2.0 program, as well as providing answers to challenges our students face in their own application of CMMC. The study group will remain in place until the CCP exam is publicly available and is the ideal place to build your network, developing relationships with each other and our world-class instructors.
If you are considering waiting until the CMMC model is “fully baked” or the exam is available, you may miss out on the latest guidance and the opportunity to ready your organization or your client for the impending final rule, which makes CMMC 2.0 inclusion in DoD contracts mandatory. Join us today!