SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Learning Tree International : Top 10 CMMC 2.0 Questions and Answers

12/21/2021 | 03:50pm EDT


On November 4, 2021, the Department of Defense (DoD) announced sweeping changes to the Cybersecurity Maturity Model Certification (CMMC) program. The previous version of CMMC (1.0) is now being upgraded to 2.0, with the continued aim of improving the security of the defense industrial base through assessments and third-party cybersecurity certifications. These changes will affect the nation's supply chain of more than 350,000 companies worldwide.

As the largest licensed training provider in the Cyber Security Maturity Certification ecosystem, we have put together this in-depth Q&A to help deliver certification clarity and guidance to contractors, subs and organizations around the world.

Q.Is there a replacement for CMMC now that it is undergoing significant change?
A. While CMMC 2.0 is under development, the Pentagon is encouraging defense contractors to follow cybersecurity practices laid out by the National Institute of Standards and Technology (NIST 800-171).

If you would like to learn more about NIST and how it impacts your CMMC compliance, check out our brand new NIST SP 800-171 Requirements Training course.

Q. Is there an approximate timeframe for rolling out CMMC 2.0?
A. The discussed timeframe is somewhere between 9 and 24 months to finalize the rulemaking efforts. This includes a 60-day public comment period prior to the rule taking effect.

Q.Why did they make such sweeping changes to CMMC 1.0?
A. To provide clear requirements and accountability. In addition, the Pentagon decided to revamp the CMMC because it was considered too costly and burdensome for many in the defense industry, especially small to medium-sized enterprises that do not have relevant data.

Q. How long will it be before CMMC 2.0 is released with contracts requiring certification?
A. New requirements will not show up in contracts for at least nine months, with the potential for the rulemaking process to stretch out as late as fall 2023.

Q. Under CMMC 1.0 the initial estimate for DoD contractors needing third-party assessment was 350,000. Is that still the case?
A. The DoD estimates that there are roughly 40,000 companies holding controlled unclassified information (CUI) and will still require a third-party assessment.

Q. Will there be any formal announcements or communication regarding CMMC changes?
A. The Pentagon is continuing to finalized and publish details on the updated CMMC standards via the program's website by the end of 2021.

Q. With the suspension of CMMC 1.0, will there still be a need for companies to seek certification?
A. While the Pentagon will not require the certification as part of any contract until after the rules have been finalized, nearly 500 companies fall into the "level three" category, working on highly sensitive programs. They will still need to follow "expert" cybersecurity practices.

Q. Who will conduct the Level 3 assessments?
A. Unlike the CMMC 1.0 guidance where C3PAOs would conduct the assessments, they'll now be audited by an internal DoD division, the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Q. What does it mean when DoD says that some contractors will be able to self-attest?
A. If a company doesn't handle data deemed critical to national security, they will only have to self-attest to their cybersecurity practices on an annual basis.

Q. Are there minimal requirements that must be met now in order to be awarded a contract?
A. Yes. Organizations must get started on with their NIST SP 800-171 compliance to meet all 110 controls. Getting started now is key, as preparation can take up to 18 months.

Key Takeaway

The road to CMMC readiness is a long one. However, it doesn't have to be hard, and you don't have to go at it alone. at it alone. Learning Tree will serve as your CMMC certification partner and will help keep you up-to-date on the latest news, requirements and changes.

Still need help?

If you need CMMC guidance or have additional questions, check out our CMMC Business Solutions page or contact us at: 1-888-843-8733.


Learning Tree International Inc. published this content on 21 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 21 December 2021 20:49:01 UTC.

© Publicnow 2021
05/17Learning Tree Announces an Expanded Course Collaboration with Amazon Web Services, Inc
04/12APEX Learning Tree launches Kickstarter Campaign
03/19Understaffing leaves after-school programs with unmet demand
03/01LEARNING TREE INTERNATIONAL : What is Transformational Technical Leadership and Why Does I..
01/28LEARNING TREE INTERNATIONAL : Does Agile Transform a Business?
01/20LEARNING TREE INTERNATIONAL : Manage Yourself and Manage Your Team with Office 365
01/11Duke Corporate Education and Learning Tree Form New Partnership to Cultivate Key Leader..
01/11LEARNING TREE INTERNATIONAL : Expand the Pipeline of Job-Ready Cloud Risk Management Profe..
01/11LEARNING TREE INTERNATIONAL : Duke Corporate Education and Learning Tree Form New Partners..
More news
Duration : Period :
Learning Tree International, Inc. Technical Analysis Chart | LTRE | US5220151063 | MarketScreener
Managers and Directors
David Brown Chief Executive Officer & Director
Igor Lima Chief Financial Officer
Kevin Ross Gruneich Non-Executive Chairman
Magnus Nylund Chief Operating Officer
Richard J. Surratt Independent Director