Separating Fact From Fiction: Debunking Myths Around CMMC 2.0

Separating Fact From Fiction: Debunking Myths Around CMMC 2.0

This article originally appeared on the ISACA blog

With more than 220,000 companies supporting the Department of Defense, the defense industrial base presents an enticing target for hackers, nation-states, and cybercriminals. On November 4, 2021, the Department of Defense announced that it would replace the Cybersecurity Maturity Model Certification (CMMC) 1.0 with CMMC 2.0. The new, streamlined framework exists “to protect the defense industrial base from increasingly frequent and complex cyberattacks.” 

In its new form, CMMC 2.0 aims to reduce red tape for small and medium-sized businesses, establish priorities for protecting DoD data, and foster cooperation between the defense industry and the DoD in combating cyber threats.

When introducing new compliance standards or revising existing regulations, the anticipation of changes can often create myths. Failing to separate fact from fiction can cause your organization to misunderstand how the compliance landscape will shift, leading to a failure to comply putting DoD contract eligibility and revenue at risk.

CMMC 2.0 Myth Busting 

We’ve collected four important myths to dispel regarding CMMC 2.0 that, if left unaddressed, could leave your organization unprepared and out of compliance.

Myth #1: CMMC is in limbo. 

During a six-month review process, the DoD gathered extensive commentary from the defense industry to develop CMMC 2.0. CMMC 2.0 will not be a contractual provision until the completion of the rulemaking process. The DoD expects to complete that phase within 9 to 24 months. It will then become a contract requirement.

Takeaway: CMMC 2.0 is moving forward. While contractors may feel they are in limbo due to the six-month review process, there are no indications that the DoD will fail to complete the rulemaking process within its window. 

Myth #2: Compliance will become less expensive under CMMC 2.0. 

CMMC 2.0 changed the assessment process, including the frequency and use of third parties. Instead of undergoing a third-party assessment, Level 1 companies under CMMC 2.0 will complete an annual self-assessment to cover specific elements outlined in the framework. Level 2 contractors will undergo a third-party assessment every three years, while Level 3 will be subject to government-led assessments. 

Takeaway: Level 1 contractors will not need to budget for additional third-party fees. Level 2 and Level 3 will need to set aside the budget to prepare and/or pay for third-party audits and support periodic audits by the government. 

Myth #3: It’s ok to wait until Level 3 requirements become public. 

While the exact requirements are under development, the government has stated that level 3 will require a subset of NIST SP 800-172. Furthermore, Level 2 will incorporate 110 practices from NIST SP 800-171. Also impacting the timeline for compliance will be the bottleneck of service providers eligible to perform 3rd Party Assessments for contractors who are required to have Level 2 Compliance. At the time of this article, there are only 8 service providers that are accredited 3PAOs

Takeaway: Since Level 3 will rely on a subset of NIST SP 800-172, your company can use the time before the exact requirements become known to assess its ability to comply and begin vetting, selecting, and scheduling your 3PAO partner. 

Myth #4. Once finalized, CMMC 2.0 will apply retroactively. 

Existing DoD contracts will not receive a blanket modification to reflect CMMC 2.0 and its requirements. Instead, new or recompeted contracts will reflect CMMC 2.0. Taking the time to prepare now will allow your company to compete for new and existing contracts.

Takeaway: Since CMMC 2.0 will not apply retroactively, the compliance burden for contractors is a little lighter. However, having removed that burden, the government’s expectations regarding compliance for new or recompeted contracts will conceivably be higher. This justifies starting the compliance effort sooner rather than later.

The InfoSec Survival Guide: Achieving Continuous Compliance

Preparing for CMMC 2.0 Compliance

For companies that support the United States’ defense efforts, compliance with cybersecurity standards is a matter of national security and critical to maintaining defense contracts. 

While some aspects of CMMC 2.0 are under development, it’s not too early for your company to focus on achieving compliance by automating compliance management where you can centralize risk and compliance activities, measure your maturity, and increase visibility into status for executives. The final regulation implementing CMMC is expected in nine to 24 months. It can take up to 18 months for companies to get ready — compliance professionals don’t have as much time as they think.


Jason Sechrist is the Director of Compliance Solutions at AuditBoard, where he works with CIOs, CISOs, and IT compliance teams to help automate the administrative tasks of governance, risk, and compliance activities. He previously was the Global Head of Internal Audit and IT Compliance at Rackspace Managed Cloud Company, and started his GRC career with PwC in Silicon Valley. Connect with Jason on LinkedIn.