CMMC 2.0 is here

After five years in development, the Cybersecurity Maturity Model Certification (CMMC) 2.0 rule went into effect Nov. 10. It’s the latest version of the cybersecurity framework from the U.S. Department of Defense (War Department) designed to enforce protection of sensitive federal contract information (FCI) and controlled unclassified information (CUI) shared with defense contractors and subcontractors. To bid on defense work, contractors must demonstrate CMMC 2.0 compliance through self-assessment or third-party certification, depending on the security level required. Some companies involved in commercial aerospace may just be learning about the complexity of CMMC 2.0 if they want to pursue defense contracts.

I asked Dr. Henning Dransfeld, director of strategy of industry & solutions, aerospace & defense at business cloud software company Infor, about the challenges of CMMC 2.0 compliance.

“One of the biggest challenges is CMMC 2.0 regulation is a moving target,” Dransfeld says. “There’s no other defense department in the world so prescriptive and also clear in the way it’s ruling cyber security for CUI or contract information.” But one uncertainty is the rules could change during existing contracts. “We’re trying to make sure our customers understand their duties within compliance and are working toward keeping our cloud software up to date.”

Customers also must prove by deploying software as a service, data is handled as prescribed, especially CUI, which can be most of the data in the contracts. “With the stricter International Traffic in Arms Regulations (ITAR), we’ve set rules within our software to enforce compliance, but compliance is ultimately the customers’ responsibility,” Dransfeld says.

For the first time, the commercial supply chain is exposed to the ruling. “Anyone delivering to defense contractors must commit to CMMC 2.0,” Dransfeld says. “Some defense contractors are forcing suppliers to become compliant ahead of time to reduce risk in their own chain. It’s a complex challenge, first, to get compliant or compliant-ready, then be audited.”

Success in being audited depends in part on identifying your risks to cyberattack. “The most powerful software application can identify gaps in your risk management,” Dransfeld explains. “Software can track certain holes, and risk assessment tools can identify standard issues. You then can employ artificial intelligence (AI) and historical data to find more sophisticated gaps. It doesn’t replace the full audit, but it can help to identify quickly where you have the biggest gaps.”

Self-auditing may seem like a simple answer, but it’s very complex, according to Dransfeld. “Do your homework as much as possible. Don’t rely on a regulation possibly not being enforced because some resources might be missing in the published ruling. That’s very dangerous, because the potential fines are going to be huge, and you might be excluded from bidding.”

Dransfeld sums up, “I think there’s great relief in the industry about the confirmed status of CMMC 2.0. We know the ruling is going to continue. I think that’s quite a big message to the market.” – Eric