After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.
Here’s a glimpse of what’s coming:
Make It Easy For Me:
Here’s an outline of the expected new standard described by DoD:
Level 1: Annual self-assessment of 17 practices
- We’re assuming these will be the same 17 from CMMC 1.0 addressing “Basic Cyber Hygiene” in line with FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
- There are also hints that the rulemaking process may include a requirement for company leadership to affirm compliance.
Level 2: Triannual third-party assessment of “critical national security information” and annual self-assessment for “select programs” of the 110 security requirements found in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- This couldn’t be more vague.
- Maybe it means that contractors identified as holding “critical national security information” will have a CMMC Accreditation Body (CMMC AB) swing by every three years.
- Maybe it means that these same contractors have to perform annual self-assessments if their program is so “selected.”
- If, however, a contractor is neither designated as possessing “critical national security information” nor working on a “select program,” it is unclear how or if the NIST 800-171 requirements will apply. Expect clarification.
Level 3: Triannual government-led assessment of 110+ requirements in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- This standard contains the more robust selection of controls intended to thwart the advanced persistent threat posed by sophisticated actors (i.e., nation states).
- The focus of NIST SP 800-172 remains on protecting the confidentiality of controlled unclassified information (CUI), “i.e., not directly addressing integrity and availability.”
- CMMC 1.0 contained a host of CMMC-specific practices that look to be removed. These largely addressed areas of data integrity and availability, so their absence reinforces the dominance of the confidentiality requirements found in NIST SP 800-171/172.
- Oddly, despite retaining the name Cybersecurity Maturity Model Certification, CMMC 2.0 also appears to do away with all maturity processes it once envisioned. It remains to be seen how or if the DoD addresses “maturity” in the rulemaking process.
- Also new is that DoD may be examining a selective, time-bound waiver process for contractors. The extent of the program, and whether it happens, remain to be seen, but it may be applied as needed and when expressly approved to facilitate certain acquisitions or programs.
What about the CMMC Accreditation Body?
A significant change resident in CMMC 2.0 is the removal of mandatory annual assessments across all tiers. This does not mean, however, that the CMMC AB is going away. To the contrary, the CMMC AB expressly supported the new direction as a “meaningful and compelling improvement to the implementation of CMMC.” Moreover, the CMMC AB recognized that there are going to be (even more) challenges ahead, as the Board must now (again) adjust its curricula for training providers and account for changes resident in the federal rulemaking process. These folks can’t catch a break.
What Does This Mean For Current CMMC Efforts?
Tracking with CMMC 1.0? Then just hold whatcha got. The current CMMC pilot program is suspended, and contractors in the DIB should not expect to see CMMC in their contracts until the completion of the rulemaking process. However, this programmatic pause should not hinder contractors’ compliance efforts altogether. The DoD remains committed to securing its data and is encouraging contractors to continue to “enhance their cybersecurity posture during the interim period while the rulemaking is underway.”
There’s still a lot to do, and contractors should not take the DoD’s subtle reversion at face value. For the past few years, CMMC cast a light on the DIB’s need to enhance its cybersecurity posture. While the ultimate fate of CMMC seems to be changing, the challenges it was created to battle persist. This means, as we’ve been saying for some time now, contractors should continue to target meeting their NIST SP 800-171 obligations (including its Appendix E “routinely satisfied” assumptions). There is a lot of ground to be covered between this “soft rollout” of CMMC 2.0 and the eventual rules DoD anticipates promulgating. Contractors should use that time to cement their obligations to protect covered defense information, complete and put to bed any lingering Plans of Actions or Milestones (POAMs), and properly assess and then post their status in the Supplier Performance Risk System (SPRS). CMMC may not be what it once was, but neither is the much more engaged customers the DIB is now facing.