Delays in CMMC 2.0 Final Ruling

Delays in CMMC 2.0

As 2023 opens it appears that there may be further delays in CMMC 2.0 reaching a final ruling as the Pentagon considers additional revisions of the proposed rule.  These reconsiderations are, as reported on ClearanceJobs, the result of internal politics and concerns on the impact on businesses.  Because the rule is in proposed status, it is still open for public comment.  In the past this feedback has led to major changes in CMCC that led to the release of CMMC 2.0.

Cybersecurity Maturity Model Certification

In 2013 the Defense Federal Acquisition Regulation Supplemental (DFARS) 252-204-7000 went into effect in an effort to establish requirements for safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) held by DoD contractors in the Defense Industrial base.  This was followed by the DFARS clause 7012 in 2016, which established NIST-SP-800-171 as the mechanism for providing this desired protection. 

In 2019 the Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) to provide an external mechanism for certifying levels of cyber hygiene of an organization.  Following industry professionals’ concerns for the complexity, cost, and proposed timeline, the DoD released CMMC 2.0 in 2021.  Among other changes, the levels for compliance were reduced from five to three.  

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment.
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

Establishment of a Certification Body

The Cyber AB was established as a non-governmental agency as the official accreditation body for CMMC.  Its primary mission is to accredit organizations that will be responsible for conducting third party assessments.  These organizations when accredited become part of the CMMC Third-Party Assessment Organizations (C3PAO). 

While there has been progress in accrediting these organizations, concerns have been raised that there are still not enough accredited personnel to service the number of non-governmental organizations that require certification.  Additionally, there have been several mishaps in the formation of the Cyber AB that have hampered its ability to function optimally.

CMMC Requirements Are Here to Stay

While delays in CMMC 2.0 roll out continue, the requirements will remain.  Non-governmental organizations in possession of CUI and FCI will have to receive certification sooner or later.  Establishing and implementing a CMMC program within an organization requires time and effort.  Once the requirements have been met these systems must be integrated into the day-to-day operations of the organization.

While NIST SP 800-17 does contain a number of requirements for establishing and maintaining a cybersecurity program, it often comes up short in detailed descriptions on how non-IT functions are to be executed. This is particularly the case for critical functions such as auditing and management review. These functions must be performed regularly to ensure that the cybersecurity program is effectively addressing cyber risks.

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Jamie Hamilton

Share this post