November 30, 2021

Last Updated on January 12, 2024

As orgs in the US defense industrial base (DIB) come to terms with CMMC 2.0, thought leaders in the wider US government contracting sector are seeing “the writing on the wall” about changes that will eventually impact the entire government supply chain, especially firms that handle Controlled Unclassified Information (CUI).

What is the government up to with cyber compliance? And what are the implications you should anticipate and prepare for?

To walk you through all the major ramifications of CMMC 2.0 for government contractors in the DIB and other sectors, John Verry, Pivot Point Security CISO and Managing Partner, recorded a special episode of The Virtual CISO Podcast. The show also features two Pivot Point GRC consultants with broad USG experience: Caleb Leidy, CMMC Consultant/Provisional Assessor, and George Perezdiaz, CMMC/NIST Security Consultant.


A unified program to protect CUI

New rules for CMMC 2.0 are being made at the overarching Code of Federal Regulations (CFR) level, via Title 32 CFR (on national defense) and 48 CFR (on procurement).

Is the government creating a unified program to protect CUI, driven by these rules and supported by the NIST 800-171 cybersecurity standard?

The answer is plainly yes. “That’s already what it is,” Caleb points out. “The reason we’re seeing that step back from CMMC proposed version 1 to CMMC 2.0 is because CMMC 1.0 wasn’t aligned to 32 CFR, which is regulated by the Information Security Oversight Office, the ISOO. And they’ve put some minimums and some maximums in place on what can be done for CUI oversight. They talk about this in their CUI notices. … DoD is the example right now, and they’re already behind on when they expected to implement a ruling at the FAR level, which would put a standardized program in place for oversight in non-executive branch entities, as they call them, that are handling CUI.”

“This is absolutely going to expand out to the entirety of the executive branch federal contractors,” Caleb predicts.

Compressed compliance timeframes?

Because multiple 60-day comment periods are involved in the formal process of altering the CFR, forecasts on when CMMC 2.0 will be finalized range from 9 to 24 months. So, is this a reprieve for DIB orgs? Or is it actually an accelerated timeline versus the now-defunct CMMC 1.0?

“We were talking about a five-year rollout period for CMMC V1,” John notes. “If this becomes part of Title 32 CFR in nine months, doesn’t that accelerate CMMC’s applicability in the DIB?”

“Yes, it does,” George affirms. “32 CFR already has NIST 800-171 in it, and so has DFARS 7012 since 2016. So essentially what the government is saying is, ‘Hey, you were supposed to be doing this since 2016. Now let’s do it; let’s get serious with it.’ So it shouldn’t affect too badly the organizations that were supposed to do what they were saying they were doing.”

“I would see it rolling out in the same way DFARS did it,” says Caleb. “They put the requirements in place through FAR and DFARS and other contracting vehicles. It was 2016 when they put out DFARS 7012 and they gave until December 31, 2017 to be fully compliant. So, it’s probably going to be the same type of timeline [with CMMC 2.0].”

Changing the accountability, not the requirement

While the requirement to comply with NIST 800-171 to protect CUI has been in place for a while, the US Department of Justice (DoJ) has begun brandishing an even older statute—the Civil War era False Claims Act—through its Civil Cyber-Fraud Initiative. DoJ is prepared to bring civil suit against both corporations and individuals that misrepresent their cybersecurity posture.

“[CMMC 2.0] doesn’t change the requirement, but it changes the accountability,” as John puts it. “If you look at the [National Archives and Records Administration] CUI registry, defense information is one of about 20 CUI classifications. So, in theory, there are 19 other classifications and, as this becomes more widely enforced, if you’re processing that data you’re going to be subject to some level of NIST 800-171 compliance requirements.”

So, the DoD’s CMMC program is just the first of more to come from other USG agencies, all underpinned by standardized rules across the entire executive branch contracting space.

“This is what we need to do to continue to be competitive and have a strong and resilient supply chain,” recaps George.


What’s Next?

To listen to the complete episode with John, Caleb and George on CMMC 2.0, click here: EP#71 – Caleb Leidy & George Perezdiaz – CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors – Pivot Point Security

For more timely guidance on what’s most key for DIB orgs to know about CMMC 2.0, try out this post: