DoD Announces CMMC 2.0 to Ease Requirements

DoD Announces CMMC 2.0
DoD Announces CMMC 2.0
DoD Announces CMMC 2.0

In an effort to ease requirements for the protection of Controlled Unclassified Information (CUI), the Department of Defense (DoD) has announced CMMC 2.0.  This new version of the Cybersecurity Maturity Model Certification (CMMC) program will pare down the scope and requirements placed on the Defense Industrial Base.

Initial CMMC Cybersecurity Requirements Daunting

CMMC was created by the DoD to protect sensitive information by incorporating a standardized approach to Information Security Management. This action was undertaken to respond to increased attacks by adversaries and non-state actors.

Members of the Defense Industrial Base (DIB) had voiced desires for standardization of the DoD marking practices for CUI.  They sought to limit requirements to directly relate to contract performance.  The DIB has also voiced concern as to how the Defense Federal Acquisition Regulations (DFARS) Interim Rule would be adjudicated.  Additionally, many smaller subcontractors had feared that the complexity of the proposed CMMC were creating barriers to participation in the DoD acquisition process.  

DoD Announces CMMC 2.0 in Response to Industry Feedback

Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, said, “CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base.  By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.” 

Key Features in CMMC 2.0

In March 2021, an internal review of CMMC’s implementation was conducted to respond to more than 850 public comments to the interim DFARS rule.  This has resulted in a refinement of policy and program implementation from cybersecurity and acquisition leaders within the DoD.  Changes to the CMMC requirements include the following:

Model Now Has 3 Compliance Levels

The first streamlining has been to reduce the compliance levels from five to three.  The levels currently proposed are:

Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self assessment.

Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 standard. This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment

Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives.  Details are still in development for Level 3

Assessment Requirements

The newly released requirements for assessments should support businesses in adopting CMMC.  The new requirements will reduce costs for companies at Level 1 and some companies at Level 2 by allowing self assessments to demonstrate compliance.

Emphasis has also been placed on increasing the oversight of third-party assessors to ensure professional and ethical standards. 

Increased Flexibility in Implementation

In an attempt to establish a more collaborative partnership, the DoD will now allow companies under certain circumstances to achieve certification by making Plans of Actions and Milestones (POA&Ms).  These POA&Ms will require adherence to strict timelines.  The CMMC will also now, in some cases, allow waivers for requirements.

CMMC 2.0 Timeline

These changes will be implemented through the rulemaking process.  Companies that handle or access CUI will be required to comply once the rules go into effect.  As with previous proposed versions of CMMC a public comment period will be in effect.  The DoD considers stakeholder input critical to establishing effective cybersecurity standards. 

The DoD announced that it intends to suspend the current CMMC Piloting efforts and will not require CMMC in DoD solicitations.  Official estimates that final implementation of CMMC may take as long as 2 years.

CVG Strategy Can Help

CVG Strategy cybersecurity experts are here to help small business DoD contractors ready themselves for evolving CMMC requirements.  We can assist your organization develop a tailored cybersecurity program and then perform the required assessments. 

We understand that each business has a unique set of requirements that demand tailored solutions.  Developing these solutions assessing an organization’s culture and involving all stakeholders.  Using this information, we can develop programs that are effective and can adapt as a business grows.

Cyber Security Training

Training is an essential component for any viable information security management system.  Despite major advances in organizational cybersecurity, human error continues to be a major cause of data breach.  Proper cyber protocols must be consistently reinforced through training that is informative and engaging. 
Effective training should include review of basic procedures such as using appropriate network security and not allowing unauthorized access to work areas.  It should also include a review of all ISMS policy and procedure changes.  CVG Strategy has been involved in business training for over a decade.  Our experts take pride in effective and engaging training sessions that ensure that participants retain important information.