CMMC 2.0: DoD Advises Industry To Begin Preparing Now

Miles & Stockbridge P.C.

On November 17, 2021, DoD published a notice of proposed rulemaking in the Federal Register, which formally announced the launching of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. Among other things, version 2.0 streamlines the framework from 5 levels to 3 levels, scales back the requirement that all 300,000 contractors within the defense industrial base (DIB) obtain third party certification, and provides DoD additional flexibility by allowing for the limited use of Plans of Action & Milestones (POA&Ms) and waivers. DoD’s announcement of these changes, which are discussed in a recent blog post, coincided with the publication of a GAO Report that was critical of DoD’s rollout of CMMC 1.0. For instance, GAO criticized DoD for failing to communicate effectively with stakeholders and noted that the 5-year pilot program launched in November 2020 had already fallen far behind schedule. Perhaps mindful of this criticism, in the past few months, DoD has published several documents about version 2 and has discussed the changes at a number of public engagements.

Since the announcement of CMMC 2.0, DoD has published several documents (all available here), which provide additional information about the changes DoD is introducing to CMMC. These include a Model Overview of Version 2.0, which presents the updated CMMC model and each of its elements in detail. Appendix A of the Model Overview presents the model in matrix form by domain, and lists which practices are required under each CMMC level for each of the 14 domains. These domains align with the 14 families specified in NIST SP 800-171. Additionally, DoD has released self-assessment scoping documents for the new CMMC Level 1 and the new CMMC Level 2 (which coincide, respectively, with Levels 1 and 3 of CMMC 1.0). DoD has also disclosed that it expects the rulemaking process to take 9-24 months.

Finally, DoD representatives have been actively participating at a number of public engagements and have provided additional advice to industry stakeholders. Most recently, on February 1, 2022, the ABA Section of Public Contract Law’s Committee on Cybersecurity, Privacy & Data Protection hosted a panel event on CMMC 2.0: Challenges for 2022. The panelists included John Ellis, Director, Software Division, Defense Contract Management Agency; Matthew Travis, CEO, CMMC Accreditation Body; Robert Metzger, Shareholder, Rogers Joseph O'Donnell, PC; and Sean Bamford, Legal Director Cybersecurity & Chief Privacy Officer, Lockheed Martin. Although panelist comments were made on the basis of non-attribution, several themes emerged from the event:

  • Although the rulemaking process is expected to take 9-24 months, the panelists noted that cybersecurity threats are escalating and present a persistent threat to contractors, and encouraged contractors to take action now.
  • The panelists highlighted that despite some streamlining and changes to implementation, the basic practices required under CMMC have not changed from version 1.0 to version 2.0. The panelists also highlighted that all members of the DIB will have to certify, the only difference is who is doing the certification.
  • In addition to the triennial certification requirement, CMMC 2.0 will require all contractors to annually make an “affirmation” of compliance, which in conjunction with the Department of Justice’s Cyber Fraud Initiative, will heighten risk of liability for noncompliance under the False Claims Act.
  • DoD is considering incentives to encourage early certification, which include providing a 4-year expiration of certification rather than a 3-year certification for early adopters.
  • DoD is exploring potential reciprocity or partial reciprocity between the CMMC certification requirement and other cybersecurity standards, such as FEDRAMP.
  • The panelists expressed optimism that as the number of third-party assessors grows, market forces will lower the cost of third-party certification. The panelists also reiterated that companies that are proactive in preparing for certification will be able to navigate the process more quickly and at lower cost.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miles & Stockbridge P.C. | Attorney Advertising

Written by:

Miles & Stockbridge P.C.

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide