It’s actually better than we could’ve wished for, as of November 2021!
The Department of Defense (DoD) has recently announced significant modifications to its Cybersecurity Maturity Model Certification (CMMC) system with the aim of making it less complicated and costly for contractors to meet. The new CMMC 2.0, unlike its predecessor, now uses three rather than five compliance levels; the required security controls (known as practices) are aligned with NIST Special Publications (SP) 800-171 and 800-172, and previously required maturity steps have been removed entirely. The changes also include a move to self-assessments for all but the most sensitive programs’ contractors, as well as the reemergence of Plans of Action and Milestones (POAMs) to demonstrate compliance and obtain certification.
Following are the new standards in a nutshell:
CMMC Level 1 – Contractors must implement the 17 controls from NIST SP 800-171 specified in FAR 52.204-21 and submit an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS) as part of their foundational certification.
CMMC Level 2, Advanced – To meet this requirement, contractors need to use the 101 controls in the NIST SP 800-171. If they have to handle (as yet undetermined) critical national security information, then they need a triennial independent assessment done by a CMMC Third Party Assessment Organization.
CMMC Level 3, Expert – Engineers must comply with the NIST SP 800-171 and SP 800-172 standards, as well as a subset of controls from NIST SP 800-172, before undergoing a triennial government-led assessment. The Department of Defense, on the other hand, is still working on the standards for this Level.
The new CMMC 2.0 allows for certain waivers to be granted only under specific limited circumstances when it is mission-critical. You need approval from high-ranking military officials in order to get a waiver.
According to a “plan of actions and milestones,” or POA&M, the Department of Defense wants to establish a benchmark for criteria that must be completed before contract award but may be done at a later date. CMMC 1.0 did not include any such language in its scope.
The DoD intends to move forward with the CMMC 2.0 regulation-making process for the Code of Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), which will include a public comment period, and finalization of both documents before the CMMC 2.0 changes will be implemented. They predict it will take between nine months to two years for them to complete it. Following that, the Department of Defense will start including CMMC 2.0 standards in contracts. However, the DoD has suspended its CMMC 1.0 program and won’t accept the inclusion of CMMC criteria in any future DoD requests until further notice.
If you are new to the conversation about the CMMC being implemented by the Department of Defense, here is a little bit of history.
For nearly two years, the Defense Department has struggled to develop a system for ensuring that all DIB firms comply with cybersecurity standards for handling unclassified sensitive information.
That process, known as the Cybersecurity Maturity Model Certification (CMMC), has undergone many evolutions since it was formally introduced in early 2020 and is, in fact, still evolving as we noted above with the recent changes. However, at its basis, the CMMC is meant to ensure that military contractors are capable of safeguarding sensitive defense data by adhering to a minimal level of security hygiene.
Previously, the CMMC program verified that Department of Defense contractors obtained third-party cybersecurity evaluations. The DOD’s CMMC Accreditation Body is a nonprofit and it trains and certifies the C3PAOs (CMMC Third Party Assessment Officers). They will then evaluate contractors’ cybersecurity.
Auditors would conduct audits and certify that a business had met the necessary criteria before winning Defense Department contracts. After that, contractors would be in charge of paying for the audits and any efforts to comply.
The deadlines for the different levels for CMMC certifications were set at intervals throughout the rollout period. By 2026, the Pentagon’s contracts were anticipated to include CMMC provisions. The regulations would have affected more than 300,000 vendors in the Defense Industrial Base.
However, because of resistance from corporations concerned about the burden and expense of CMMC implementation, the initiative has been subjected to an internal Defense Department study in recent months.
Hence, the Birth of CMMC 2.0
On Nov. 4, the Pentagon rolled out its “CMMC 2.0” strategy following the conclusion of the internal evaluation.
The Department of Defense’s new cybersecurity plan, CMMC 2.0, is set to further secure the defense industrial base. These upgrades will assist businesses in adopting the procedures they require to defend themselves from cyber dangers while lowering compliance hurdles under DoD standards by fostering a more collaborative working relationship with the industry.
CMMC 2.0 maintains the program’s original objective of safeguarding sensitive information while also including modifications that are meant to make standards simpler, minimize barriers to compliance, offer greater clarity on regulatory, policy, and contracting requirements, increase department oversight of professional and ethical standards in the assessment ecosystem, and improve overall execution efficiency.
In Conclusion
CMMC 2.0, unlike its forerunner, now uses three rather than five compliance levels; and previously necessary maturity steps have been entirely removed. The changes include self-assessments for all but the most sensitive contractors. Plans of Action and Milestones are also coming back to show compliance with standards. These modifications allow many more small businesses access into government contracting without having to jump through hoops that may be too expensive or time-consuming in order to comply with DOD requirements – while still remaining secure.
Our friends at Govology have a webinar with Aliahu Bey of Totem Techologies on the new CMMC 2.0 rules. You can register for it here, the Evolving DoD Contractor Cybersecurity Requirements ( Nov 2021 Update).