In November 2021, the U.S. Department of Defense (DOD) announced changes to the CMMC model, branded as CMMC 2.0. Many of the requirements remain the same, however we urge you to refer to our detailed overview highlighting five key changes of CMMC 2.0 and their impacts to your organization.
In November 2021, the U.S. Department of Defense (DOD) announced changes to the Cybersecurity Maturity Model Certification (CMMC), branded as CMMC 2.0. Many of the requirements remain the same, however we urge you to refer to our detailed overview highlighting five key changes of CMMC 2.0 and their impact to your organization. Since then, further progress in the rulemaking indicates that the DOD intends to move forward with CMMC and DOD contractors and their internal audit teams need to ensure they are prepared for this new requirement. Before moving toward a CMMC assessment, organizations should strongly consider employing their internal auditing function for assurance of their CMMC readiness. And, with the requirement that a senior official affirm continuing compliance, internal audit can play an important role each year after certification is earned.
Because of its independent and objective assurance purpose, the internal audit role in cybersecurity is to assess whether an organization is taking the steps necessary to appropriately safeguard the DOD’s data at the CMMC maturity level that will soon be required to compete and win certain DOD contracts.
Contractors that only have access to federal contract information (FCI) and do not foresee pursuing contracts with any kind of data beyond FCI need only to meet and maintain the 17 practice requirements of CMMC Level 1, which map directly to existing Federal Acquisition Regulation (FAR) 52.204-21 requirements. Contractors already working with controlled unclassified information (CUI) or that would like to do so in the future must put into place the 110 practices required by CMMC Level 2.
Understanding where FCI and CUI data exist in your environment is an important first step to determine the level and scope that needs to be covered by your CMMC. This is where the organization’s internal audit function or an objective third party can help to confirm and/or recommend how management sets the boundaries on where FCI and CUI exist within the organization’s environment. Limiting the scope whittles down where robust CMMC-required practices must be applied, which could speed up the CMMC readiness process.
