Industry--'Don't Wait' for CMMC Accreditation.

• Author: Tadjdeh, Yasmin
• Position: Algorithmic Warfare

* When the Pentagon released its Cybersecurity Maturity Model Certification 2.0 guidelines in November, industry breathed a sigh of relief after learning they had more time to become compliant with the new rules and regulations.

The updated version of the cybersecurity framework--which was revamped to be more streamlined and less expensive for companies--will not be a contractual requirement until the Pentagon completes a rulemaking process in the Code of Federal Regulations and Defense Federal Acquisition Regulation Supplement, which can take up to two years.

The release of the new version followed a months-long internal review of the program. The Pentagon said it received feedback from industry, Congress and other stakeholders including 850 public comments in response to the interim rule establishing the original CMMC. The comments focused on reducing costs, increasing trust in the CMMC assessment ecosystem, and clarifying and aligning cybersecurity rules to other federal requirements and commonly accepted standards, according to the Defense Department.

While the Pentagon has given companies more wiggle room in implementing the cybersecurity framework, experts are advising companies not to hold off on their CMMC accreditation once audits kick off, potentially, in the new year.

"Don't wait for this to be a requirement in your contract," said Matthew Travis, the CMMC Accreditation Body's CEO. "Go ahead, engage in CMMC and get certified."

There are several benefits to being an early worm, he told National Defense. For example, the Defense Department is exploring opportunities to provide incentives to companies that voluntarily obtain CMMC certification before it is required.

"You can think of a lot of different financial incentives as well as qualitative incentives," he said. "I would like to see the meat on the bone and get those in place."

Additionally, certification signals to customers that a firm is invested in its cybersecurity apparatus, particularly in the wake of major breaches such as SolarWinds and Colonial Pipeline, he noted.

When "you get that badge saying you are CMMC certified, you are conveying to your customers, your competitors, the government [and] your employees that you take cybersecurity seriously," he said. "CMMC certification will eventually be the coin of the realm in federal acquisition cybersecurity, and you'll stand out if you don't have it."

Travis encouraged companies to not wait on the sidelines. "Get in and...