CMMC (Cybersecurity Maturity Model Certification) is a model cybersecurity framework managed and controlled by the Department of Defense (DoD). On the 4th of November, the DoD unveiled a change to the model via what they call CMMC 2.0.
CMMC 2.0 is a substantial change that will significantly impact businesses who bid for DoD contract work, and cybersecurity service providers who advise contractors navigating the CMMC model requirements.
This article will outline the reasoning behind the DODs decision to amend the CMMC model framework, what we know so far about CMMC 2.0, what we don’t know yet, and what the sudden change means over the short and medium term.
Why is CMMC being Changed?
CMMC 1.0 came into force at the end of November 2020 and originally had a 5-year phase-in period during which contractors working in the defense industrial base (DIB) could adapt to and adopt the model when bidding for and working on DoD contracts.
Not everyone was happy about this, and many stakeholders complained that the 5-layer CMMC model imposed unnecessary costs on any small businesses who wished to bid for DoD contract work. Others argued that this was a justifiable trade-off to ensure the cybersecurity of the DoD supply chain.
In March 2021, the DoD commenced an internal review of the CMMC model, how it was operating, and how the implementation was going. This review took input from over 850 stakeholders, and the information gathered was assessed by cybersecurity and acquisition leadership teams within DoD. This review had a remit to refine the CMMC policy and implementation if they thought this was warranted.
The review teams have come down on the side of those who felt CMMC 1.0 placed an unnecessarily high barrier for SMBs to contract with the DoD and have revised the model extensively.
What Do We know So Far?
As outlined on the website for Acquisition & Sustainment, the new CMMC 2.0 model aims to deliver five outputs from the internal review process:
- Ensure accountability while minimizing barriers to compliance with DoD requirements.
- Safeguard sensitive information to enable and protect the warfighter.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
- Maintain public trust through high professional and ethical standards.
The first bullet point is obviously to address complaints from small businesses about the costs to achieve CMMC 1.0 compliance. We're somewhat skeptical that watering down the requirements that were in CMMC 1.0 is the best way to deliver on the objectives in bullets 2 to 5.
Not all of the requirements and timelines for the adoption of CMMC 2.0 are available yet. What we do know is outlined below.
The Structure of the CMMC 2.0 Model
The CMMC 2.0 model framework shrinks from 5 to 3 levels by eliminating levels 2 & 4 from the previous model. The diagram below outlines these changes.
CMMC 2.0 Model compared to CMMC 1.0. (Source: https://www.acq.osd.mil/cmmc/about-us.html November 2021).
The new Level 1 Foundational tier includes the same 17 practices that were in the lowest CMMC 1.0 tier. It is for contractors who do not process and transmit Controlled Unclassified Information (CUI), but who do have access to Federal Contract Information (FCI) that is not intended for public access, to self-certify that they are compliant with the 17 practices. There will be an audit program to validate contractor compliance and a whistleblower process to report any contracting business that falsely certifies. Falsely certifying under Level 1 could result in fraud claims under the False Claims Act.
Level 2 Advanced in the CMMC 2.0 model replaces the previous level 3, but at the same time, it reduces the practices required to comply. Level 2 aligns with 110 practices from the NIST 800-171 assessment, while 20 additional practices no longer apply. Most contractors looking to comply with Level 2 will be required to pass a third-party evaluation every three years. We say most as there will be provision for a subset of companies at Level 2 to demonstrate compliance through self-assessments. What this subset will mean in practice has not been defined at this time. Another change in CMMC 2.0 is the removal of the requirement for a perfect score to pass accreditation. In the future passing may be possible without a perfect score, with any remedial actions identified allowed via a Plans of Actions & Milestones (POA&Ms) process. Some Level 2 practices deemed critical must be passed and can't be subject to a POA&M.
The top-level in the CMMC 2.0 model is Level 3 Expert. It will require the 110 practices from NIST 800-171 from Level 2, plus selected practices from the NIST 800-172 publication. We don't know yet which NIST 800-172 practices these will be. As with Level 2, contractors at Level 3 will need to pass an assessment every three years.
What Happens Next
The new CMMC 2.0 model framework is still in flux. The DoD plans to implement the new model through its rule-making process under Part 32 of the Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement (DFARS) Part 48. There will be a period of public comment during which the DoD will be seeking stakeholder feedback on the CMMC 2.0 implementation.
As the new model is finalized and rolled out, CMMC 1.0 pilot engagements will end, and DoD will drop the requirements for CMMC 1.0 from solicitations and bids.
So things are still up in the air, with some requirements still to be defined and published. Plus, some of the changes outlined so far may change via the public engagement that the DoD is planning. One thing we do know – the longstanding requirement to be compliant with NIST 800-171, which has always been and continues to be a requirement for contracting with the DoD until the moment that the CMMC 2.0 certification becomes required, is still fully in effect.
We do know enough to allow for some planning for businesses that wish to bid for DoD contracts. We understand what is required to deliver NIST 800-171 practices. These involve cybersecurity practices that Critical Insight has been helping public and private sector organizations implement for years. Implementing these now will both improve your organization's cybersecurity posture, and it'll put you in an excellent position to attain CMMC 2.0 accreditation when the dust settles on the new model.
Our security analysts focus on the threat landscape across all sectors. These experts can assist your organization in a gap analysis and remedial actions needed to start on the CMMC 2.0 path via the NIST 800-171 practices. Contact us to find out how we can work together to start that journey.
See Also: