CMMC 2.0:A Well-intentioned Misstep in Cybersecurity.

• Author: Sfoglia, Pete

The Defense Department rollout of the Cybersecurity Maturity Model Certification, or CMMC, 2.0 was met with much fanfare and anticipation.

Designed to simplify the certification process and ensure that contractors meet a basic cybersecurity standard, it was intended to improve upon CMMC 1.0. However, despite these intentions, the new version has many issues that can potentially undermine its objectives and efficacy.

A significant area of contention is the potential cost of certification, which might disproportionately affect small- to medium-sized enterprises. To meet the standards required by CMMC 2.0's underlying NIST SP 800-171/172 Cybersecurity Framework, organizations may have to invest significantly in upgrading their systems, training their staff and maintaining their certification.

In addition, implementing the necessary cybersecurity measures could be prohibitive, especially for companies with limited resources.

The financial strain extends beyond merely achieving certification. Businesses also face the cost of maintaining compliance in an environment where cyber threats continually evolve. This could require further investment in technology, staffing and training.

In addition, the prohibitive cost of certification could lead to smaller organizations being squeezed out of the defense supply chain, which may, in turn, affect competition and innovation.

The CMMC 2.0 framework also calls for periodic third-party assessments for higher-level certifications. However, the cost of these audits is another financial hurdle companies must clear. While the move toward more selfassessments at lower levels may help mitigate this burden for some, the financial implications could be significant for those requiring higher-level certifications.

Furthermore, there is a lack of clarity around the total cost of compliance. Without clear guidance on the cost of assessments, or the necessary investment required to meet the CMMC 2.0 standards, businesses are left uncertain.

The Defense Department needs to consider providing more support to small and medium enterprises, such as offering grants or subsidies for CMMC 2.0 compliance or creating more streamlined and affordable pathways to certification. This will ensure a diverse and vibrant defense supply chain that balances robust cybersecurity with economic feasibility.

The complexity of CMMC 2.0 also places a significant burden on small and medium-sized enterprises. Though touted as a "simplified"...