On November 4, 2021, the Department of Defense (DOD) dropped a bombshell press release stating it plans to retract the Cybersecurity Maturity Model Certification (CMMC) 1.0 and replace it with a simplified, streamlined 2.0. The press release does not explain how DOD plans to simplify and streamline CMMC, but an Advance Notice of Proposed Rulemaking issued concurrently with the press release (and removed later the same day) contains some insights into the key changes DOD intends to make. An archived copy of the notice is available here, and DOD provided the same information during a CMMC Accreditation Body town hall meeting on November 10, 2021. PilieroMazza’s Cybersecurity & Data Privacy Group offers 7 key takeaways government contractors need to know to prepare for CMMC 2.0.
- CMMC 1.0 suspended. Companies will no longer be required to obtain certification under CMMC 1.0, as the entire framework has been suspended. DOD intends to release CMMC 2.0 documents in late November, and the ensuing rulemakings required to implement CMMC 2.0 are projected to take 9-24 months. DOD plans to offer “incentives” to companies willing to voluntarily undergo the new CMMC 2.0 Level 2 certification—explained below—during this time, though DOD has not specified what form those incentives might take.
- Say goodbye to Levels 2 and 4. Because CMMC 1.0 Levels 2 and 4 are primarily transitional between Levels 1-3 and 3-5, respectively, and would serve little other purpose, DOD determined they do not need to be included in CMMC 2.0. Thus, CMMC 2.0 consists of a total of three Levels:
- Level 1, which did not change;
- Level 2, which was formerly Level 3; and
- Level 3, which was formerly Level 5.
- Direct tracks to existing standards. No longer will CMMC rely on a pastiche of controls from various sources. Now, Level 2 will track directly to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, and Level 3 will track to a subset of requirements from NIST SP 800-172.
- Major assessment changes. Level 1 will now consist exclusively of self-assessments with an annual affirmation from a C-suite officer that the company meets the Level 1 requirements. Level 2 will require bifurcation of controlled unclassified information (CUI) into two categories: prioritized and non-prioritized. Companies requiring access to prioritized CUI will be required to undergo a third-party assessment from a certified third-party assessing organization (C3PAO), just like under CMMC 1.0. Companies requiring access to non-prioritized CUI will make a similar affirmation to that required under Level 1 and be permitted to perform a self-assessment, similar to the existing NIST SP 800-171 self-assessment already required to be posted in the Supplier Performance Risk System. Level 3 assessments will be performed exclusively by Government officials, not C3PAOs.
- Acceptance of plans of action and milestones (POAM). CMMC 2.0 will leave room for POAMs. However, a POAM will not be acceptable for certain “weighted” controls, and a company seeking to use a POAM to fulfill CMMC requirements will need to achieve a certain minimum “score” to be eligible. Additionally, POAMs will be required to be completed within a certain timeline (e.g., 180 days). If a company does not complete all its POAMs within the required timeframe, the contracting officer may take appropriate action under that company’s contract(s), such as terminating the contract(s) for default.
- Possibility of waivers. DOD will be able to approve waivers, but only when a waiver is necessary to accomplish mission-critical work. These waivers will be strictly time-limited and may only be approved by senior DOD personnel.
- Resources for small and mid-sized businesses. Finally, DOD has continued to stress that it hopes companies are not waiting for a contractual requirement to take charge of their cybersecurity. To that end, DOD significantly changed the CMMC home page and now provides several resources for small and mid-sized businesses, specifically. DOD also launched Project Spectrum, a tool designed to help small and mid-sized businesses assess their cybersecurity and determine where they need to improve.