For the last two years, organizations that handle sensitive defense information have been making strides towards complying with the cybersecurity standard issued by the U.S. Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC). Launched in January 2020, the CMMC is a certification procedure for assessing and strengthening the cybersecurity environment of federally contracted companies.

However, on November 4, 2021, the DoD issued a press release announcing their plans to retract Version 1.0 of the CMMC and replace it with an updated version that provides a more streamlined and flexible system for defense contractors and their suppliers. In this post, we'll take a closer look at the enhanced CMMC 2.0 program and what it means for your organization moving forward.

Background of the CMMC

The U.S. DoD is one of the largest supply chains in the world, with hundreds of thousands of contractors, vendors, and partners essential to military operations. Since U.S. information networks are a very valuable target for cyberattacks, securing the supply chain of the Defense Industrial Base (DIB) is a critical challenge. With the goal of ensuring contractors meet an appropriate level of cybersecurity protections, the DoD introduced the CMMC in 2020 to reduce the risk to the Controlled Unclassified Information (CUI) that resides on its contractors’ systems.

The CMMC evolved from the National Institute of Standards and Technology (NIST) and Defense Federal Acquisition Regulation Supplement (DFARS) frameworks after concerns that most defense contractors only maintained basic security hygiene standards. Until the CMMC was released, companies could self-certify their compliance with the appropriate cybersecurity processes, instead of achieving third-party validation (which was a requirement under CMMC 1.0). Depending on their cyber maturity, defense contractors would earn a certification ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security operations) that would determine which defense contracts they could bid on.

The Evolution of the CMMC

After its initial publication in January 2020, several draft versions of the CMMC were released over the course of the next few months. In September 2020, the DoD published the DFARS Interim Rule, which designates the CMMC as the new cybersecurity framework for DoD contractors and requires them to perform a self-assessment (based on NIST 800-171) and report those results to the Supplier Performance Risk System (SPRS). The Interim Rule also phased the CMMC certification requirement over a five-year period.

 

In response to the Interim Rule, more than 850 public comments were generated regarding the complexity of the framework, the cost of obtaining a third-party certification, the lack of alignment with NIST standards, and concerns over an accreditation backlog from an inadequate number of CMMC Third-Party Assessor Organizations (C3PAOs). In March 2021, the DoD initiated an internal review of the CMMC program to determine if the goals of the CMMC were being achieved without unnecessary strain for defense contractors. The DoD conducted over 1,000 interviews regarding the challenges surrounding the CMMC process. After the completion of this internal program assessment, CMMC 2.0 was drafted and released November 2021.

 

The Release of CMMC 2.0

Even with the introduction of Version 2.0 of the CMMC, the overall goal remains focused on safeguarding sensitive unclassified information. In addition, the updated CMMC also plans to:

  • Streamline compliance requirements at all levels (eliminating unique practices and maturity processes)
  • Simplify the CMMC standard and provide clarity on cybersecurity, regulatory, policy, and contracting requirements
  • More closely align to existing cybersecurity standards
  • Reduce the reliance on third-party assessments
  • Increase the oversight of the third-party assessment ecosystem

With these enhancements, the DoD aims to minimize the barriers to compliance with the CMMC requirements and increase the overall ease of execution. Furthermore, these changes were made to instill a collaborative culture of cybersecurity and cyber resilience and enhance public trust in the CMMC ecosystem.

 

The Key Changes of CMMC 2.0

Below, we take a closer look at the changes currently found in CMMC 2.0.

Reducing the Number of Compliance Levels from Five to Three.

CMMC 1.0 established a new certification procedure for assessing the cybersecurity environment of contracted companies working within the DIB. The certification scaled across five levels, which included Level 1 (Basic Cyber Hygiene), Level 2 (Intermediate Cyber Hygiene), Level 3 (Good Cyber Hygiene), Level 4 (Proactive), and Level 5 (Advanced/Progressive). Spread out across those five levels were 171 cyber hygiene practices based on NIST SP 800-171 and a few others.

CMMC 2.0 reduces the number of compliance levels from five to three, removing the two transitional levels found in CMMC 1.0. The three increasingly progressive levels will include:

CMMC 2.0 Level 1 (Foundational)

At this time, compliance of CMMC 2.0 Level 1 will contain the same controls as CMMC 1.0 Level 1, which required 17 basic cyber hygiene practices under FAR 52.204-21. Defense contractors that do not process, store, or transmit CUI, but do handle Federal Contract Information (FCI), will only need to submit the results of a self-assessment to the DoD. The annual self-assessment report must also be accompanied by an affirmation of compliance by company leadership. CMMC 2.0 Level 1 is designed to be a foundational level and is intended to work as an opportunity for contractors to develop and strengthen their cybersecurity posture.

CMMC 2.0 Level 2 (Advanced)

For CMMC 2.0 Level 2, compliance will be similar to CMMC 1.0 Level 3 and will require the satisfactory implementation of the 110 controls set forth in NIST SP 800-171. Level 2 indicates advanced cybersecurity practices and is the minimum level contractors must earn in order to handle CUI. Depending on the federal security information in specified contracts, companies will either need to submit an annual self-assessment or undergo a third-party assessment and certification for critical national security information.

CMMC 2.0 Level 3 (Expert)

CMMC 2.0 Level 3 is designed for contractors that work on sensitive DoD contracts and requires an expert implementation of cybersecurity practices. While Level 3 is still under development, it is expected to include the 110+ practices based on NIST SP 800-172. Compliance with FAR 52.204-21 and NIST SP 800-171 is also expected. Contractors will also have to undergo a triannual government-led assessment of their cybersecurity maturity and compliance (rather than a C3PAO). However, there is a possibility that contractors will need to have a C3PAO assessment for CMMC 2.0 Level 2 conducted before the government led CMMC 2.0 Level 3 assessment.

Quick Look at the Key Differences

CMMC 1.0

 

CMMC 2.0

Level Practice Assessment Level Practice Assessment

Level 1

(Basic)

17 Practices

Third Party

Level 1

(Foundational)

17 Practices Annual self-assessment

Level 2

(Intermediate)

72 Practices

(2 maturity processes)

None

Level 3

(Good)

130 Practices

(3 maturity processes)

Third Party

Level 2

(Advanced)

110 Practices

(Aligned with NIST SP 800-171)

Triennial third-party assessments for critical national security information; Annual self-assessment for select programs

Level 4

(Proactive)

156 Practices

(4 maturity processes)

None

Level 3

(Expert)

110+ Practices

(Aligned with NIST SP 800-172)

Triennial government-led assessments

Level 5

(Advanced)

171 Practices

(5 maturity processes)

Third Party

 

Better Alignment with Existing NIST Cybersecurity Standards.

As a result of the changes made in CMMC 2.0, CMMC-specific practices and maturity processes will be removed to ease alignment efforts and provide a direct track to widely accepted cybersecurity standards. Previously, CMMC Levels 2 through Level 5 included various CMMC-specific cybersecurity requirements in addition to the controls set by the various NIST standards. In the new CMMC model, Level 1 will include 17 "basic" controls derived from FAR 52.204-21, Level 2 will be aligned with NIST SP 800-171, and Level 3 will be based on NIST SP 800-172. However, with the elimination of the unique CMMC requirements, there has been no further clarity on the true difference between the CMMC and NIST 800-171 and 800-172.

Self-Assessment Changes.

Prior to the CMMC, companies were able to self-certify their compliance with DFARS requirements and were not obligated to provide evidence of their security practices. Ultimately, this self-certification led to a significant amount of security breaches and IP theft in the defense supply chain. When the CMMC was originally introduced, contractors were required to complete a third-party assessment at all five of the compliance levels. By eliminating the self-attestation process, the DoD aimed to provide proper assurance of their contractor's cybersecurity controls and better ensure they can defend against current and evolving cyber risks. However, many contractors issued their concerns regarding the potential costs and burden of completing a third-party assessment during the CMMC compliance process.

 

CMMC 2.0 reverts to reliance on contractor self-certifications and only a limited number of contractors will need to perform a third-party assessment. For CMMC 2.0 Level 1, contractors will be able to submit an annual self-assessment with an annual affirmation of compliance by company leadership. CMMC 2.0 Level 2 is the minimum level for contracts that contain CUI, so completion of a third-party assessment is dependent on the information being handled. Contracts that involve “critical national security information” will require a triennial third-party assessment, whereas less sensitive programs can submit an annual self-assessment.

 

The Acceptance of Plans of Action and Milestones (POA&M).

When undergoing a third-party audit, organizations can develop a Plan of Action and Milestones (POA&M), a report that describes how unimplemented security requirements will be met, how any planned mitigations will be implemented, and the scheduled completion dates for these milestones. Many NIST frameworks (e.g., NIST SP 800-115 and NIST 800-53) define POA&M reports and these definitions are used in compliance standards like the CMMC and FedRAMP. Federal agencies often consider these plans when determining if it is appropriate to pursue an agreement or contract with an organization if it involves sensitive CUI.

 

In the original version of the CMMC, contractors were required to be fully complaint with the necessary CMMC level prior to being awarded the contract. Under CMMC 2.0, contractors that do not meet the specified contract level requirements can potentially still win the bid if they have a POA&M in place to meet those requirements in the future. Contractors can only submit a POA&M in certain limited circumstances, though. The DoD will not accept a POA&M for certain weighted controls, and companies must have already achieved a baseline "score" requirement to support certification with POA&Ms. In addition, if awarded the contract, eligible contractors must complete their POA&M within 180 days or they risk contract termination. Through the use of POA&Ms, the DoD aims to give companies the flexibility necessary to meet evolving threats and make effective risk-based decisions during the CMMC compliance process.

 

Adding Waivers to CMMC Requirements.

 

Similar to the POA&Ms, CMMC 2.0 will introduce a broader waiver process for contractors to add additional flexibility and speed to the certification process. Waivers can only be approved by senior DoD personnel and under certain limited circumstances such as during time-sensitive acquisitions where CMMC requirements would reduce mission-critical work. The application of these waivers will be strictly time based and determined on a case-by-case basis, and will apply to the CMMC as a whole, rather than just individual controls.

 

Self-Assessment Scoping Guidance.

For CMMC 2.0, the DoD released Scoping Guides for both CMMC 2.0 Level 1 and Level 2, although no such documents were provided for CMMC 1.0. These Scoping Guides provide guidance on which assets within a contactor's environment will be assessed and the details of the self-assessment. Currently, the Scoping Guides definitively list government property, Internet of things (IOT), industrial Internet of things (IIOT), operational technology (OT), restricted information systems, and test equipment (e.g., oscilloscopes, power meters) as specialized assets and within scope for a self-assessment when documented properly. Assets that are also considered in-scope for an assessment include:

  • External Service Providers (ESPs): Cloud service providers, co-located data centers, managed security service providers
  • People: Employees, contractors, vendors, ESPs
  • Technology: Servers, client computers, mobile devices, network appliances
  • Facilities: Physical office locations, server rooms, data centers, secured rooms

Timeline of CMMC 2.0

While the DoD continues to finalize the CMMC 2.0 rulemaking process, they do not intend to include CMMC requirements in any contracts prior to its completion and plan to suspend the current CMMC piloting efforts. The DoD expects this process to take anywhere from nine to 24 months, and companies will be required to comply once the new rules go into effect. There will also be a mandatory 60-day public comment period and concurrent congressional review prior to the CMMC becoming effective.

 

During this ongoing period, the DoD encourages contractors to continue to adhere to the existing CMMC framework, focusing on compliance with NIST SP 800-171. The DoD has even developed Project Spectrum, a comprehensive information platform to help contractors assess their cyber readiness and begin adopting comprehensive cybersecurity practices. The DoD is also currently exploring potential incentive opportunities for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification in the interim period, but no further information has been released yet. Ultimately, until the official CMMC 2.0 is implemented, participation in the CMMC program will be completely voluntary.

 


 

The release of CMMC 2.0 was the DoD's response to address the various concerns raised by defense contractors over the certification process, potentially making it more affordable and achievable. While the rulemaking process is taking place, contractors should use this time to continue updating and improving their cybersecurity systems and processes and ensure alignment with NIST SP 800-171. CMMC 2.0 will become a contractual requirement for all organizations looking to conduct business with the DoD as soon as the rulemaking process is finalized, but time will only tell when exactly that rollout will be.

 


Want more CMMC updates in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.