The Road to CMMC 2.0
CMMC was first announced in 2019 by the DoD as an initiative intended to enhance cyber protection standards across the Defense Industrial Base (DIB) to better protect sensitive unclassified information shared by contractors and subcontractors. One of its primary objectives was to ensure the transition from self-attestations of organizations’ cyber hygiene to third-party assessments.
The DoD’s initial vision for the CMMC framework took a more specific share when the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041) in September 2020. The rule described a tiered model consisting of five cybersecurity maturity levels based on existing requirements:
|Basic Cyber Hygiene
|Consists of the 15 basic safeguarding requirements from FAR clause 52.204-21.
|Intermediate Cyber Hygiene
|Consists of 65 security requirements from NIST SP 800-171 implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes. Intended as an optional intermediary step for contractors as part of their progression to Level 3.
|Good Cyber Hygiene
|Consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.
|Consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.
|Consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
Source: Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
The DFARS interim rule went into effect on November 30th, 2020, implementing a five-year phased rollout strategy intended to minimize the financial impacts to the industrial base, especially small entities, and disruption to the existing DoD supply chain. The goal was to include CMMC requirements in all DoD contracts by 2026.
Many members of the DIB and industry professionals voiced their concern over the burdens the implementation of the CMMC framework would bring with it, prompting the DoD to launch an internal review in March 2021.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” said Jessica Maxwell, Pentagon spokesperson, in a statement to National Defense in April. “This assessment will be used to identify potential improvements to the implementation of the program.”
The review of the DFARS interim rule was informed by more than 850 public comments, and it ultimately resulted in the creation of CMMC 2.0.
What’s New in CMMC 2.0
According to the document published by the DoD in the Federal Register on November 4th (Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward), CMMC 2.0 updates the framework structure and the DoD cybersecurity requirements to streamline and improve the implementation of CMMC by:
- Cutting red tape for small and medium-sized businesses.
- Setting priorities for protecting DoD information.
- Reinforcing cooperation between the DoD and industry in addressing evolving cyber threats.
More specifically, CMMC 2.0 introduces the following major changes:
Move from 5 to 3 Compliance Levels
Instead of five compliance levels, CMMC 2.0 streamlines the model to just three levels:
In other words, CMMC 2.0 removes Level 2 and Level 4, which were not based on or aligned with any pre-existing requirements.
Reintroduction of Self-Assessments at Lower Compliance Levels
CMMC 2.0 allows annual self-assessments at Level 1 and at the lower tier of Level 2 for select programs.
To perform the self-assessment, all organizations will have to calculate their assessment score and upload it to the Supplier Performance Risk System (SPRS). Previously, this was something only organizations handling Controlled Unclassified Information (CUI) had to do.
At the higher tier of Level 2, organizations will be required to undergo triennial third-parry assessments, while Level 3 will require triennial government-led assessments.
Greater Implementation Flexibility Thanks to POA&Ms and Waivers
Unlike before, CMMC 2.0 will allow organizations that don’t meet every single requirement to make a Plans of Action & Milestones (POA&Ms) and complete the remaining requirements later. However, this will be possible only under certain limited circumstances.
The update also allows waivers to CMMC requirements. Such waivers will be issued on a case-by-case basis and approved by senior DoD leadership. Most likely, they will be used exclusively for time-critical acquisitions.
What Happens Next?
For the changes to be reflected in the new version of CMMC, DoD will pursue rulemaking in:
Until the CMMC 2.0 changes become effective, all CMMC Piloting efforts will be suspended. Likewise, the Department will not approve any inclusion of a CMMC requirement in DoD solicitations.
“The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking,” explains Patricia L. Toppings, Office of the Secretary Federal Register Liaison Officer.
While no official CMMC timeline has been published yet, the federal rule making process usually takes two to three years for a suggestion to be enacted as a rule, so the CMMC 2.0 is actually an acceleration of the prior five-year phased rollout strategy, and it’s important for affected organizations to prepare accordingly.