Akin Gump published a client alert on November 23, which discusses that on November 17, 2021, the U.S. Department of Defense (DOD) published an Advanced Notice of Proposed Rulemaking (ANPRM) previewing significant changes to its Cybersecurity Maturity Model Certification (CMMC) program. The revamp, “CMMC 2.0,” promises a more streamlined and flexible system for defense contractors and their suppliers to comply with CMMC and DOD’s cybersecurity expectations, with practical changes coming into effect between 9 and 24 months from now. CMMC 2.0 is DOD’s response to a months-long internal review spurred by more than 850 public comments in response to DOD’s September 2020 “CMMC 1.0” interim rule (see our webinar coverage of this rule here). While DOD pursues the forthcoming rulemakings, it intends to suspend current CMMC piloting efforts and has stated it will not include CMMC requirements in DOD solicitations. Contractors should continue, however, to adhere to the existing cybersecurity “assessments” framework (described here), focusing on compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls and required Basic Assessments.
CMMC 2.0: Changes Coming to DOD’s Cybersecurity Maturity Model Certification
Categories
© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.