CMMC is Evolving. Or is it?
The Department of Defense has updated its Cybersecurity Maturity Model Certification. It’s called CMMC 2.0. The goal was to streamline the process. Make it easier for contractors. Especially small businesses.
The reality is different. The DOD is doubling down on compliance. They are not making it simpler. They are making it more expensive. And more time-consuming.
What Changed?
- Level 1 (Basic Cyber Hygiene) is now a self-assessment.
- Level 2 (Intermediate Cyber Hygiene) maps to NIST SP 800-171.
- Level 3 (Advanced Cyber Hygiene) is a new, more rigorous path.
This sounds good on paper. But Level 2 still requires third-party assessments. That’s a big lift for most small companies. The cost of these assessments is significant. It’s a barrier to entry. It favors incumbents. They already have compliant systems. They have the staff and budget. Small businesses do not.
“They talk about simplification. They deliver more paperwork. More audits. More expense.”
The Real Cost
Beyond the assessment fees, there’s the cost of remediation. Implementing the required controls takes time. It takes money. It takes expertise. Many small contractors lack this in-house. They have to hire consultants. This adds to the burden. It diverts resources from core business functions.
The DOD wants to protect sensitive information. That is a legitimate goal. But the CMMC framework is not the most efficient way to achieve it. It’s a compliance exercise. It’s not a cybersecurity strategy.
What to do this week
Review your current cybersecurity posture against NIST SP 800-171 requirements. Identify gaps. Start budgeting for potential assessments and remediation efforts. Understand that CMMC 2.0 is a marathon, not a sprint. Engage with your contracting officers. Ask them for clarification on specific CMMC requirements for your contracts.
The Incumbent Advantage
This updated framework benefits large, established contractors. They can absorb the costs. They have dedicated compliance teams. They can afford to wait out the changes. Small businesses are left scrambling. They are at a disadvantage. The DOD says it wants to foster small business participation. CMMC 2.0 does the opposite.
Don’t be fooled by the rebranding. CMMC is still a major hurdle. It’s a compliance burden. It’s designed to favor those already established. Small contractors need to be prepared. They need to invest in their defenses. And they need to be vocal about the challenges.
Discover more from The Federal Architect
Subscribe to get the latest posts sent to your email.
