Reed Smith Client Alerts

By now, just about every defense contractor is familiar with the Cybersecurity Maturity Model Certification (CMMC), which is the cybersecurity training, certification, and third-party assessment program aimed at measuring the maturity of an organization’s ability to demonstrate compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). For some time now, defense contractors around the world have been hand wringing about the CMMC and the coming changes that it promised to bring.

But, the Department of Defense (DoD or Department) issued a press release on November 4, 2021, indicating its intent to suspend CMMC 1.0 (as the original version was called) and replace it with CMMC 2.0. This is major news because defense contractors, and the DoD at large, have struggled to implement CMMC 1.0 since it became effective just over a year ago.

In short, defense contractors should be aware that CMMC 2.0 is essentially a leaner and more flexible version of CMMC 1.0, which we have previously discussed in our June 15, 2020 CMMC client alert, and in a subsequent client alert analyzing the CMMC pilot program and certification reciprocity. The DoD’s press release and Advanced Notice of Proposed Rulemaking make it clear that CMMC 2.0 will make significant changes to its predecessor. Ultimately, Title 32 of the Code of Federal Regulations (C.F.R.) will be amended, and there will be coming changes to Defense Federal Acquisition Regulation Supplement (DFARS) in Title 48 of the C.F.R. According to the DoD, CMMC 2.0 will cut red tape for small and medium-sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats. This alert provides important comparisons between CMMC 1.0 and CMMC 2.0 and discusses how the CMMC 2.0 roll-out will impact your business.