As our readers know from previous advisories, the DOD proposed the original CMMC program (CMMC 1.0) to motivate the defense industrial base to better protect their networks and sensitive data against domestic and international cyberattacks and thefts. CMMC 1.0 included five different cybersecurity maturity levels that graduate in difficulty, with third-party assessor organizations—approved by an accreditation body—responsible for certifying companies at those levels.
Earlier this year, the Pentagon embarked on an internal review of CMMC 1.0 following pushback from contractors, as well as lawmakers, who had expressed concern about program compliance. For example, small business contractors have raised concerns that CMMC 1.0 compliance would be so expensive that many small businesses would be driven out of the market. The internal assessment team comprised leaders from 18 DOD components, including its Chair, Mieke Eoyang (Deputy Assistant Secretary of Defense for Cyber Policy); David Frederick (Executive Director of U.S. Cyber Command); David McKeown (Deputy Chief Information Officer for Cybersecurity); and Jesse Salazar (Deputy Assistant Secretary of Defense for Industrial Policy).
Following the internal review, the Pentagon announced yesterday its plans for “CMMC 2.0.” CMMC 2.0 will strive to maintain the CMMC 1.0 program’s original goal of safeguarding sensitive information. According to the Pentagon, CMMC 2.0 also will simplify cyber standards, eliminate perceived barriers to compliance, clarify contract requirements and improve the overall ease of execution. According to Secretary Salazar:
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base.” ... “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
A significant change will be the reduction in security compliance levels from five to three.
Level 1, the “foundational level,” will include 10 mandatory cybersecurity practices and require annual self-assessments.
Level 2, known as the advanced level, will require compliance with the 110 practices aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171, as set forth in DFARS 252.204-7012.
Under Level 3, the expert level, contractors will need to employ cyber hygiene that goes beyond the 110 NIST standard practices.
Under CMMC 2.0, all Level 1 category companies and a subset of Level 2 companies can rely on self-assessments. The remaining Level 2 companies will have to undergo third-party assessments on a triennial basis. All companies in Level 3, however, will require triennial government-led assessments rather than third-party assessments. Further, CMMC 2.0 will allow for waivers to the cybersecurity requirements under certain limited circumstances when the DOD must acquire select mission-critical requirements.
In CMMC 2.0, the DOD will specify a baseline number of requirements that contractors must satisfy prior to contract award. This will allow companies to complete the remaining requirements in accordance with proposed plans of actions and milestones (POA&M). The CMMC 2.0 changes will be implemented after the completion of Code of Federal Regulations rulemaking for the Defense Federal Acquisition Regulation Supplement following the mandatory public comment period.
Notably, during the rulemaking process, the Pentagon will stay its CMMC pilot efforts and will not include CMMC 1.0 requirements in any contracts. The DOD estimates rulemaking will require as long as 24 months to complete. Further, during rulemaking, the Pentagon plans to publish a “comprehensive cost analysis” of what contractors likely will spend to achieve each level of CMMC 2.0 compliance. Costs are expected to be significantly lower than projected for CMMC 1.0, according to the DOD.
We will closely follow developments in CMMC 2.0 and keep you appraised. We expect that prudent contractors will participate significantly in the public comment process in an effort to render CMMC 2.0 more practical than its now-shelved predecessor.