Issue link: https://iconnect007.uberflip.com/i/1469343
56 SMT007 MAGAZINE I JUNE 2022 businesses. As a result, the DoD scrapped CMMC 1.0 and announced CMMC 2.0 in November 2021. e full 2.0 framework is expected to be released sometime next year. But don't make the mistake of thinking the government will kick the CMMC can down the road once again when 2023 rolls around. I fully expect CMMC 2.0 to come online when the rules are final. At a high level, the two major changes that will likely affect you are the new tiers of secu- rity and the shi to annual self-attestation of compliance. e original CMMC defined five levels of security. CMMC 2.0 has three: 1. Foundational 2. Advanced 3. Expert For most of you, the newly collapsed levels won't change the practical compliance require- ments. is is good news. Most contracts will fall into Level 1, so any work you have done to this point to achieve Level 1 compliance under CMMC 1.0 has not been wasted. e new framework relies on the same 17 baseline secu- rity controls 1 used in the prior version—more on those controls in a moment. e key distinction between Level 1 and Level 2 under CMMC 2.0 has to do with the type of information you handle. Level 1 focuses on securing federal contract informa- tion (FCI), for which there are no national security concerns. e bar for Level 1 is not set very high— it is essentially developing and maintaining good baseline cybersecurity poli- cies and procedures. In my view, this is some- thing any company should do; it's just a good business practice. Some of you might fall into one of two Level 2 categories. Level 2 applies if you handle con- trolled unclassified information (CUI), but it applies differently based on the sensitivity of the CUI involved. e other major change is that Level 1 and certain Level 2 companies must self-attest to their compliance annually. ere's little argu- ment that self-attestation will be less expensive than C3PAO certification, but there was likely more to that decision than altruism on the part of the DoD. Information security sooner rather than later is the department's goal. Allowing for self-attestation should make it more likely that contractors will make compliance efforts well before the final 2.0 rules are set. Self-attestation comes with another kind of cost, however: unknown risk. For example, what might happen if you self-attest and are later found to be non-compliant? As of this writing, the final rules for CMMC 2.0 haven't been issued. But even if there are no fines asso- ciated with falling out of compliance, the finan- cial consequences might be greater than lost opportunity. About a month before CMMC 2.0 was announced, the Department of Justice (DOJ) made an announcement of its own: a new Civil Cyber-Fraud Initiative which paves the way for civil actions against contractors who misrepre- sent their cybersecurity readiness. is initia- tive is based on the False Claims Act (FCA), which permits the government to prosecute organizations and individuals to recover 300% of their damages. FCA further allows them to Divyash Patel