The Pentagon’s Revised Cybersecurity Maturity Model Certification Program

Published: November 24, 2021

Federal Market AnalysisAcquisition ReformCybersecurityDEFENSEPolicy and Legislation

The DoD’s revisions to their contractor cybersecurity program brings a simplified structure and taps the brakes on the speed of implementation.

In March, the Department of Defense (DoD) launched an internal review of their Cybersecurity Maturity Model Certification (CMMC) program to refine its policy and program implementation. Recently, the department announced revisions to the program that impact its structure, requirements and timeline.

CMMC Program Review

The November virtual Town Hall of the CMMC Accreditation Body featured speakers from the DoD CMMC program. Jesse Salazar, Deputy Assistant Secretary for Industrial Policy, said that the review that was launched last March was conducted by an 18-member executive steering group and took into account feedback from Congress and public comment on the interim acquisition rule to the Defense Federal Acquisition Regulation (DFARs) the DoD issued back in October 2020. The review had the three-fold goal of managing costs for small businesses, clarifying cyber regulations and contracting requirements, and reinforcing trust and confidence in the developing CMMC assessment ecosystem.

Details of CMMC 2.0 Program Changes Finalized

At the town hall, Salazar was joined in outlining the changes to CMMC by David McKeown, DoD Deputy CIO for Cybersecurity, and Buddy Dees, the Director of DoD’s CMMC Program Management Office. The updates affect several elements of the program structure aimed at streamlining and improving program implementation. (See my previous article on the details of CMMC 2.0 here.)

The program changes now dubbed CMMC 2.0 were initially announced in anticipation of a forthcoming Federal Register notice that would formalize the changes. On November 17, the official Federal Register notice finally came through.

Impacts and Timeline

The changes reduce the number of firms needing third-party assessments and thus the demand on independent third party assessment organizations (C3PAOs). Administrative and cost burdens on small and medium sized businesses should also be reduced by the revisions.

The timeline for when CMMC will take full effect will depend on how quickly the DoD moves forward on the rulemaking process. According to Dees in his comments at the CMMC AB Town Hall, the DoD estimates it will take from 9 to 24 months to fully complete the rulemaking process. DoD’s suspension of any CMMC pilots as well as the preclusion of any CMMC requirements from DoD solicitations until the rules are finalized further puts the brakes on the pace of implementation.

Time will tell whether DoD will further revise the program to re-raise the bar with higher standards once CMMC is actually implemented. Watch for potential additional or revised guidance from the National Institute of Standards and Technology (NIST) as this is where the standards for CMMC emanate.