The Cybersecurity Maturity Model Certification (CMMC) 2.0 brings complexities but also opportunities for those companies – primarily in the US – whose operations encompass data handled by the US Department of Defense (DoD). In our latest S-RM Insider podcast, host Matthew Mettenheimer speaks to Juliana Neelbauer, a Partner at Fox Rothschild LLP, about the intricacies of the newly implemented CMMC 2.0, its intersection with the DFARS regulation, and steps for organizations falling into scope to take.
Listen to the S-RM Insider podcast
 |
 |
 |
 |
DFARS and CMMC 2.0
The Defense Federal Acquisition Regulation Supplement (DFARS) primarily focuses on protecting Controlled Unclassified Information (CUI). CUI includes data, materials, intellectual property, software databases etc. and the server systems and DevOps that support all of that. CMMC 1.0 was the initial framework used to help organizations impacted by DFARS to understand the requirements and level of compliance they need to reach. As Juiliana explains, the transition from DFARS to CMMC 2.0 is not only about transferring from one set of rules to another. It also means understanding the new, elevated requirements that organizations must meet to maintain compliance.
The impact of CMMC 2.0 on organizations
Under CMMC 2.0, about 40,000 organizations in the U.S. require compliance with this new regulatory structure at Level 2. This includes subcontractors who have traditionally been given leeway with self-assessment and self-attestation under DFARS, they are now gearing up for more stringent self-assessment i.e. undertaken by third party assessor organizations (C3PAO) in order to comply and avoid breaching their contracts. To put it succinctly, Juliana states, “If you are in the defense space, or supporting others in the defense space, this matters for you to ensure you are not in material breach of your contracts.”
Collaborating with legal and cybersecurity experts
Contractual obligations and legal considerations also add to the complex layers of navigating through CMMC 2.0. Juliana advises that organizations must consider contract reviews and modifications to ensure all parties involved are meeting the requirements and have a clear understanding of each other’s responsibilities.
Matthew highlights the importance of getting "your legal team to view the risk of that contract." Specifically having in-depth assessments and due diligence about the contract terms, the vendor’s responsibilities and whether CUI data will be protected.
When navigating through CMMC 2.0, partnering with experts in the field, such as legal teams or cybersecurity advisors, can provide significant value. The synergy between these different areas of expertise ensures that all bases are covered, from assessing potential security risks to understanding and interpreting legal complexities.
As Juliana explains, bringing together legal and cybersecurity experts allows organizations to leverage both their intelligence backgrounds and legal prowess in order to give customers a comprehensive and well-thought-out package.
Adopting proactive measures and industry best practices
The rollout of CMMC 2.0 offers an opportunity for organizations to adopt proactive measures rather than being reactive. Prioritizing readiness and preparation before scheduling an actual CMMC assessment can save organizations time and minimize security risks.
There’s also a case to be made for businesses to not only attain the bare minimum of meeting compliance requirements, but to also strive to exceed these standards and follow best practices for the industry.
A last word on AI
Matthew mentions that many organizations are racing to the market with AI. But he warns that extra precaution is needed by those working with CUI data in their environment, “you really need to make sure you get your data labelling and classification down very tightly… you don’t want to accidentally disclose information from the government.”
Conclusion
The implementation of CMMC 2.0 calls for all organizations that fall under its scope to have a solid grasp of the new framework, understand their obligations, and take necessary steps to ensure full compliance. Leveraging legal and cybersecurity expertise during this process will help companies to navigate through this new terrain while also future-proofing their systems and operations.
