This past June, we had the privilege of hosting the CMMC 2.0 Summit, where we invited experts and practitioners to share their insights and experiences on the Cybersecurity Maturity Model Certification (CMMC) Framework. The CMMC Framework is a set of standards and best practices for securing the Department of Defense (DoD) supply chain, and it is expected to affect over 300,000 contractors soon.

The CMMC Framework is a compliance requirement and a valuable tool for improving security posture and resilience. Here are some of the key takeaways from the summit that we want to share with you:

– Our panelists agreed that the CMMC Framework is a useful resource for companies working towards maturing their security programs, especially for those who may need some guidance on prioritizing improvements to documentation and processes.

– Additionally, the CMMC Framework provides useful security benchmarking and scoring that helps companies to know where they stand as they progress in their security journey. These scores can help companies identify their strengths and weaknesses, measure their improvement over time, and potentially make them more competitive during the bidding process.

– Our panelists concurred that the CMMC Framework should be considered for future adjustment in terms of reducing some redundant controls (Underway with R3) and focusing more on cloud-first environments. The framework also seems to assume a traditional hosted network-centric architecture, which may not reflect the reality of modern cloud-based systems and the challenges of defining boundaries and demarcation of responsibility across boundaries.

– Significant concerns were expressed about the need for future adjustments to have more small business-friendly considerations incorporated where possible. There is an ongoing perception that there is a need to recognize the diversity and variability of the DoD supply chain and provide more flexibility and incentives for small businesses to achieve compliance without compromising security.

In addition to these lessons learned, we also learned about some of the latest developments, trends and recommendations related to the CMMC Framework, such as:

– Joint Surveillance Voluntary Assessments: These are voluntary assessments conducted by third-party assessors in collaboration with DoD representatives, where companies can get feedback on their readiness for CMMC certification. These assessments can help companies identify and address any gaps or issues before undergoing the official certification process and are HIGHLY recommended.

– NIST 800–171 Revision 3: This is the latest version of the National Institute of Standards and Technology (NIST) Special Publication 800-171, which defines the security requirements for protecting controlled unclassified information (CUI) in non-federal systems. This version updates and clarifies some of the requirements and prioritizes implementation over documentation. The timeline for transitioning to Revision 3 has not been established yet, but companies should start preparing for it as soon as possible.

– Other Agencies Following Suit: The CMMC Framework is not only relevant for DoD contractors, but also for other agencies that deal with sensitive or critical information. For example, the Department of Energy (DOE), Department of Education (ED) and other federal and state-based agencies have expressed interest in adopting or aligning with the CMMC Framework. As Matthew Travis, Cyber AB CEO, said at the summit: “I think this is where the world’s going” referring to the rise of AI and threat actors globally.

We hope that you found this blog post informative and helpful. If you have any questions or comments about the CMMC Framework or our summit, please feel free to contact us at info@layer8security.com. We would love to hear from you!

Remember: “We used to be an industrial nation; we are now in information nation – our data needs to be secure” – Matthew Travis, Cyber AB CEO.

Get engaged with CMMC now.
Conform to 800-171 now.
Get help if you need it!

BACK TO BLOGS