The Defense Department Shakes Up Their CMMC Contractor Cybersecurity Program

Published: November 10, 2021

Federal Market AnalysisAcquisition ReformCybersecurityDEFENSEPolicy and Legislation

The Pentagon has announced revisions to their evolving Cybersecurity Maturity Model Certification program aimed at enforcing contractor cybersecurity.

The Department of Defense (DoD) recently announced a much-anticipated revamping of their budding Cybersecurity Maturity Model Certification (CMMC) program, dubbing the revised program CMMC 2.0.

The revisions “maintain the program’s original goal of safeguarding sensitive information, while simplifying the standard with additional clarity on regulatory, policy and contracting requirements; focusing the most advanced cybersecurity standards and third-party assessment requirements on contractors supporting the highest priority programs; and increasing oversight of professional and ethical standards,” according to the DoD announcement.

Last March, the DoD launched an internal review of the CMMC program to refine its policy and program implementation, fueled by feedback and concerns from industry on the impacts and implications the fledgling program on companies large and small.

CMMC 2.0 Program Changes

The update to CMMC affects several elements of the program structure and the requirements to streamline and improve implementation of the CMMC program.

  • Consolidated Certification Levels – The CMMC 2.0 revisions reduces the number of certification levels from five to three, eliminating levels 2 and 4. DoD is also removing CMMC-unique practices and all maturity processes from the CMMC Model. The new levels 1-3 are identified as Foundational, Advanced and Expert, according to DoD’s new CMMC website. Level 2 will reflect the 110 security practices included in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Level 3 (formerly Level 5) requirements are still under development, but is expected to be based on a subset of NIST SP 800-172 requirements.
  • Self-Assessments at Lower Levels – DoD will continue to allow annual self-assessments with an affirmation or attestation by the leadership of a Defense Industrial Base (DIB) company for CMMC Level 1 and select Level 2 certifications for companies who only handle Federal Contract Information (FCI) and not the more sensitive Controlled Unclassified Information (CUI).
  • Third-party Assessments at Higher Levels – The revamp maintains the roll of the CMMC Accreditation Body (AB) in accrediting third-party CMMC auditors, i.e. CMMC Third Party Assessment Organizations (C3PAOs). Under the new schema, independent third party assessments will be required only for Level 2 and Level 3 certifications. However, DoD has decided that Level 3 assessments will be conducted by government officials.
  • New Flexibilities – The revisions also include provisions for a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements, under the approval of senior DoD leadership. DoD is also allowing for the very limited use of the Plan of Action and Milestone (POA&Ms) process whereby approved companies may be provided a set timeframe to achieve CMMC compliance.
  • New Regulations Coming – The DoD will use the federal regulation rulemaking process to implement the CMMC 2.0 framework going forward, with changes specifically to Title 32: National Defense and Title 48: Federal Acquisition Regulations System of the Code of Federal Regulations (CFR). Both will have public comment periods. In October 2020, the DoD issued an interim acquisition rule to the Defense Federal Acquisition Regulation (DFARs) to clarify its CMMC framework implementation. Under the new approach, CMMC 2.0 program requirements will not be become mandatory until the CFR rules are finalized.
  • CMMC Pilots on Hold, Overall Timeframe is TBD – Until the CMMC 2.0 changes are finalized into federal regulations, the DoD “will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” according to a forthcoming Federal Register notice that was obtained by the Federal News Network and included in their report on the CMMC changes. Meanwhile, the timeline for the CMMC program remains in flux.

Implications

The CMMC changes appear likely to reduce the administrative and cost burden on small and medium sized businesses associated with getting CMMC assessments for lower level certifications because these firms may self-assess and attest to their meeting Level 1 standards for basic cybersecurity. The cost of getting independent assessments for every certification level was a major concern for many small and medium sized businesses.

Since CMMC 2.0 will now require the independent third party assessments only for Level 2 certifications and above, it is likely that the number of C3PAOs needed to meet the industry demand is significantly reduced. That’s good news for the companies that need to obtain these audits because that reduces supply and demand issues. That change is not so great news for firms and individuals that were looking to the CMMC assessment ecosystem for vast new business opportunities. Nonetheless, the demand for assessments will be significant, given where we are in the program’s lifecycle.

The revival of the self-assessment and affirmation elements is a curious thing, since DoD has said that the shortcomings of this “honor system” approach is what spurred the creation of CMMC, at least in part. It is noteworthy that the Justice Department launched its new Civil Cyber Fraud Initiative (CCFI) to use provisions in the False Claims Act (FCA) to pursue cybersecurity-related fraud charges against government contractors and grant recipients who knowingly misrepresenting their cybersecurity practices or protocols, etc.

The increased threat of legal action further raises the stakes for entities that might flirt with fudging their cyber self-assessments. And while the program revisions should reduce the upfront cost burden on small businesses that may self-attest because they do not require the higher level certifications, there still remains the specter of backend legal costs if the firms must spend resources defending itself from False Claims Act charges, warranted or not.

Finally, the timeline for when CMMC will take full effect depends on how quickly the DoD moves forward on the rulemaking process to get the forthcoming rules finalized. Watch that process as an indicator of how high the department prioritizes the CMMC program.