In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:
Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:
-
-
- CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
- CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
- CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.
Permits self-assessments. One common complaint with CMMC 1.0 is that it required all DIB companies to obtain a third-party certification, even at the lowest CMMC level. CMMC 2.0 eliminates this requirement for CMMC 2.0 level one. Instead, DIB companies can perform annual self-assessments with an annual affirmation that they comply with the requirements of CMMC 2.0 level one. This new self-assessment option for level one will significantly reduce the time and resources most DIB companies must dedicate to CMMC compliance. DOD has bifurcated CMMC 2.0 level two, requiring DIB companies working on “prioritized acquisitions” to obtain an independent assessment, while allowing annual self-assessments and affirmations for non-prioritized acquisitions. DOD has not yet announced how it will prioritize acquisitions. CMMC 2.0 level three will still require a government-led or third-party certification.
Allows Plan of Action and Milestones (“POA&M”). Another criticism of CMMC 1.0 was that it required a DIB company to meet every practice and process for the desired certification level in order to receive its certification. CMMC 2.0 now allows DIB companies to submit a POA&M for those cyber practices and processes that it does not yet meet. Thus, as long as a DIB company can show that it is working towards meeting all of the requirements of its CMMC 2.0 level, it should still be permitted to continue work on the DOD acquisition. DOD has also signaled that it will waive CMMC requirements, if necessary.
Looking ahead, DOD has suspended CMMC 1.0. This means that DOD will not require DIB companies to comply with CMMC requirements until new CMMC 2.0 rules are published. DOD is not expected to publish new rules until at least summer 2022, but more realistically not until 2023. We will continue to monitor these developments as DOD releases more information about CMMC 2.0.