On November 4th, the Department of Defense (DoD) announced major revisions to the Cybersecurity Maturity Model Certification (CMMC). Since it first entered federal law in December of 2020, the CMMC has only undergone minor revisions, bringing it to version 1.02. Now the framework will jump ahead to version 2.0, with a streamlined system of security levels, introduction of a waiver process, and changes to the framework core.
While full details of the CMMC 2.0 update are still forthcoming, DoD officials have indicated that the update is intended to address longstanding concerns in the defense contracting community, especially among small-to-medium sized businesses (SMBs). Most significantly, the requirement for third-party assessment will be dropped for more than half of the defense industrial base, substantially reducing the compliance burden for many organizations.
While the new CMMC requirements will not show up on contracts for at least nine months, contractors who have been preparing for CMMC compliance will need that time to change their strategy and prepare for the new rule changes. In this article, we’ll explain what these rule changes are, and what they entail for your business.
New Direction for CMMC
Since it was first announced in 2019, the CMMC has provided a model for government agencies seeking to enforce better standards of cybersecurity compliance on their supply chain partners. After a historic year for cyberattacks that illustrates critical vulnerabilities among federal agencies and contractors, this goal has never been more important.
But – in the words of Deputy Assistant Secretary of Defense (DASD) for Industrial Policy, Jesse Salazar – the DoD has struggled to find a balance between “adopting the practices they need to thwart cyber threats” and “minimizing barriers to compliance”. Accordingly, lawmakers and industry leaders have expressed concerns that CMMC requirements are too onerous or costly for some defense contractors.
In its recent announcements, the DoD has signaled a new direction for CMMC that addresses these concerns: CMMC 2.0 will provide greater flexibility to small businesses in the defense contracting industry with less reliance on third-party assessment, and a more streamlined core framework.
CMMC 2.0 vs CMMC 1.02
As of November 29th 2021, the CMMC 2.0 framework is not publicly available, and while rules are expected to be made public in the near future – followed by a 60-day period for public comment – the rulemaking process may be extended through Fall of 2023.
Fortunately, the DoD has made some details available, primarily through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) website, and through a notice issued on the 17th. With these sources in mind, here are some major differences between CMMC 2.0 and 1.02:
Streamlined Level System
Under CMMC 1.02, defense contractors were evaluated under five levels of security, ranging from “Basic,” “Intermediate” and “Good” cyber hygiene at levels 1-3, to an “Advanced” security program at Level 5. CMMC 2.0 eliminates levels two and four, leaving only three levels that roughly correspond to the original Level 1, Level 3 and Level 5.
- Level 1 “Foundational” – like the original Level 1, this level will include 17 “basic” security controls derived from Federal Acquisition Regulation (FAR) rules 52.204-21
- Level 2 “Advanced” – like the original Level 3, this level will include the 110 controls in National Institute of Standards and Technology (NIST) special publication (SP) 800-171. However, 20 additional rules have been eliminated, leaving only NIST-derived security controls.
- Level 3 “Expert” – little was known about the additional cybersecurity controls at the original Level 5. The picture is more straightforward for Level 3 under CMMC 2.0: in addition to the controls from NIST SP 800-171, organizations will be required to follow a subset of controls derived from NIST SP 800-172.
Ultimately, any “CMMC unique security practices” appear to have been eliminated from CMMC 2.0, directly mapping the core framework to existing FAR and NIST legislation alone. Furthermore, organizations will no longer be evaluated for “Process Maturity” or “Institutionalization” as they were under previous versions of CMMC.
Reduction of Third-Party Assessment
Under CMMC 1.02, all defense contractors were required to undergo assessment by a third-party assessment organization (C3PAO) once every three years, whether or not they stored controlled unclassified information (CUI) considered critical to national security. Under CMMC 2.0, this requirement has changed substantially.
Of the roughly 220,000 companies in the defense industrial base, 140,000 will fall under Level 1 of CMMC 2.0, meaning they will only be required to undergo self-assessment once per year with the oversight of a senior level executive. The same will go for companies at Level 2 who do not hold “critical” CUI – or about half of them.
At Level 3, companies will be required to undergo a triennial governmental assessment, although details are not yet available. This leaves about 40,000 companies at Level 2 who will still have to undergo third-party assessment once every three years.
Expanded Exceptions and Leniencies
Under CMMC 1.02, the conditions for contract award were straightforward: companies needed to be compliant, or lose eligibility. Under CMMC 2.0, the DoD will be more lenient, awarding contracts to some organizations without CMMC implementation, provided they submit a Plan of Action and Milestones (POA&M) and agree to abide by a hard deadline.
CMMC 2.0 will also introduce a limited waiver process which would allow organizations to forego some CMMC requirements under special circumstances. While these allowances would likely not apply to mission-critical security controls, many details of the process and its scope have not been clarified yet. Even so, a waiver process represents a radical departure from CMMC 1.02.
Preparing for CMMC 2.0
In some ways, CMMC 2.0 maintains substantial continuity with existing security legislation and compliance processes. In other ways, it is a major step forward, holding defense contractors to a high standard of accountability and cyber-readiness. While many questions about the updated program remain unanswered, it is not too early to start preparing with a few simple steps:
- Install C-Level officers to approve annual assessments – many organizations are familiar with the current self-certification process for NIST SP 800-171. Under CMMC 2.0, much of this process will remain the same, but organizations under Level 1 and Level 2 who are not storing prioritized CUI will need an executive level officer to sign off on the self-assessment.
- Take advantage of DoD resources – with the new direction of CMMC 2.0, the DoD has committed to helping its partners in any way it can, with resources like Project Spectrum, providing organizations with free educational materials and a cyber readiness check.
- Get a readiness assessment – since it is based on existing NIST regulations, it’s possible to start preparing your organization for compliance with CMMC 2.0 right now. A professional readiness assessment will reveal gaps in your systems and networks, establishing a roadmap for CMMC 2.0 compliance individualized to your organization.
Based on our years of experiencing conducting assessments for compliance with NIST standards that form the basis of CMMC 2.0, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.