Most compliance frameworks change from time to time. But it’s sporadic to see the exceptional level of change that the Cybersecurity Model Maturity Certification, or CMMC, is currently undergoing. In a bid to make CMMC compliance more straightforward and affordable – and, by extension, help smaller businesses sign contracts with the U.S. Department of Defense, which requires CMMC compliance from its vendors – the U.S. federal government has revamped or rewritten critical components of the CMMC. The updated version is known as CMMC 2.0.
But, if you follow compliance news, you probably already know that the CMMC is evolving. You may not yet know what the CMMC changes mean for the typical business.
To provide some insight into that topic, here’s a look at the top three changes likely to result from the CMMC overhaul. Changes have already started to take effect over 2021 and will continue throughout 2022 for many businesses as they adapt to the brave new world of CMMC 2.0.
Prediction 1: Increased CMMC compliance self-assessments
One of the most meaningful updates the government has made to CMMC is allowing self-attestation of compliance. Previously, businesses hired outside auditors to attest to their CMMC compliance.
Couple that change with the fact that the CMMC 2.0 has only three compliance steps instead of five, and it would seem very likely that we’ll see more and more businesses performing CMMC self-assessments in 2022 and beyond. Instead of hiring outside auditors and consultants, companies will take the more cost-effective self-assessment approach.
This change will also likely translate into a more significant number of SMBs becoming CMMC-compliant. In the days of CMMC 1.0, when compliance assessments cost a lot more, it was harder for smaller businesses to gain compliance attestation.
It’s essential to keep in mind that not every business can self-attest, of course. According to the DoD, only about 140,000 of the 220,000 total companies in the defense industrial base hold “federal contract-related data,” which entitles them to self-assessments. The rest will have to use the traditional, more costly assessment approach to get a higher level of assessment.
There are specific procedures to follow, including having a senior company official attest to your compliance and submitting the attestation to the Supplier Performance Risk System (SPRS). Keep in mind, too, that even if you self-assess, you can’t simply file a report and call your business CMMC-compliant. Still, the process is cheaper and easier than relying on outside consultants.
Prediction 2: More CMMC compliance transparency
More self-assessments will likely also contribute to a tendency among companies to embrace the principle of transparency when it comes to CMMC compliance. That’s because disclosing security vulnerabilities is an essential step toward making self-attestations credible.
As a result, expect transparency to become the rule, not the exception, for companies pursuing CMMC compliance. In particular, more businesses are likely to establish vulnerability disclosure programs to communicate clearly about security issues.
This will mark a significant shift from the present. Traditionally, companies have tended to be tight-lipped about vulnerabilities. They had only disclosed them when they were legally required to do so. But in the future, adopting a transparency approach to security and openness will help businesses establish their credibility and good-faith commitment to the CMMC – and, by extension, it will help position them to win government contracts.
Prediction 3: CMMC compliance will demand-supply chain security automation
While VDPs are one step toward transparency and self-assessing your CMMC compliance, another critical practice is automating software supply chain security. Given the sharp uptick in software supply chain security risks, that’s especially true.
Supply chain security automation tools make it fast and accessible to identify security risks within the supply chain and document and disclose them based on compliance requirements. Instead of manually tracking and disclosing risks, as they do today, businesses seeking CMMC compliance are likely to embrace supply chain security automation.
SMBs, in particular, are poised to take more significant advantage of supply chain security automation tooling, which will help them decrease compliance costs and complexity. (This is another reason, by the way, why the updated CMMC framework is likely to result in more involvement by SMBs in the CMMC space.)
These are our predictions about how CMMC 2.0 will change the way businesses approach CMMC compliance. But since we here at Findings have built a world-class supply chain security and compliance automation platform, we’d like to think we have a pretty well-informed perspective on this topic.
We’d also like to think that, as more and more businesses seek solutions for automating CMMC compliance, they’ll turn to Findings. Findings offer the automated assessments, best practice recommendations, and reporting features businesses to need to self-assess and simplify compliance operations. In turn, it reduces the number of questions you need to answer during compliance processes from hundreds to just a few.
Ultimately, Findings places compliance with frameworks like CMMC within reach of every business, not just those with teams of compliance experts and expensive compliance consultants.