Akin Gump published a client alert on November 23, which discusses that on November 17, 2021, the U.S. Department of Defense (DOD) published an Advanced Notice of Proposed Rulemaking (ANPRM) previewing significant changes to its Cybersecurity Maturity Model Certification (CMMC) program. The revamp, “CMMC 2.0,” promises a more streamlined and flexible system for defense contractors and their suppliers to comply with CMMC and DOD’s cybersecurity expectations, with practical changes coming into effect between 9 and 24 months from now. CMMC 2.0 is DOD’s response to a months-long internal review spurred by more than 850 public comments in response to DOD’s September 2020 “CMMC 1.0” interim rule (see our webinar coverage of this rule here). While DOD pursues the forthcoming rulemakings, it intends to suspend current CMMC piloting efforts and has stated it will not include CMMC requirements in DOD solicitations. Contractors should continue, however, to adhere to the existing cybersecurity “assessments” framework (described here), focusing on compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls and required Basic Assessments.
23 Nov '21