The US Department of Defense (DoD) has just announced CMMC 2.0, a new strategic direction for its cybersecurity program based on public comment and internal assessment. So what does it all mean? 

Many sources say that CMMC 2.0 is about “less requirements,”—but it’s really much more about changing how the DoD will hold defense contractors accountable to the NIST SP 800-171 requirements that have been in place all along. 

We’re speaking to two of our best Security Consultants from right here within our ranks at Pivot Point SecurityGeorge Perezdiaz, CMMC / NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. 

In this episode, we discuss:

  • What’s new and what’s not with CMMC Level 1 (for securing FCI) and what is now called CMMC Level 2 (for securing CUI)
  • The overall realignment of the US government’s cybersecurity audit program with NIST 800-171 
  • “Bifurcation” and who will and won’t need a third-party audit if you handle CUI
  • How CMMC 2.0’s new accountability process fits with the recent cybersecurity executive order, the Civil Cyber-Fraud Initiative, the False Claims Act, and upcoming rule changes to 32 CFR and 48 CFR
  • Why “letters of affirmation” are a boon to SMB security and IT leaders compared to the threat of a third-party audit

Mentioned during the podcast:

eCFR :: Home

To hear this episode and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.