In an effort to ease requirements for the protection of Controlled Unclassified Information (CUI), the Department of Defense (DoD) has announced CMMC 2.0. This new version of the Cybersecurity Maturity Model Certification (CMMC) program will pare down the scope and requirements placed on the Defense Industrial Base.
Initial CMMC Cybersecurity Requirements Daunting
CMMC was created by the DoD to protect sensitive information by incorporating a standardized approach to Information Security Management. This action was undertaken to respond to increased attacks by adversaries and non-state actors.
Members of the Defense Industrial Base (DIB) had voiced desires for standardization of the DoD marking practices for CUI. They sought to limit requirements to directly relate to contract performance. The DIB has also voiced concern as to how the Defense Federal Acquisition Regulations (DFARS) Interim Rule would be adjudicated. Additionally, many smaller subcontractors had feared that the complexity of the proposed CMMC were creating barriers to participation in the DoD acquisition process.
DoD Announces CMMC 2.0 in Response to Industry Feedback
Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, said, “CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base. By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
Key Features in CMMC 2.0
In March 2021, an internal review of CMMC’s implementation was conducted to respond to more than 850 public comments to the interim DFARS rule. This has resulted in a refinement of policy and program implementation from cybersecurity and acquisition leaders within the DoD. Changes to the CMMC requirements include the following:
Model Now Has 3 Compliance Levels
The first streamlining has been to reduce the compliance levels from five to three. The levels currently proposed are:
Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self assessment.
Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 standard. This is a set of security practices and security standards for non-governmental organizations that handle CUI. It requires that a third party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment
Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives. Details are still in development for Level 3
The newly released requirements for assessments should support businesses in adopting CMMC. The new requirements will reduce costs for companies at Level 1 and some companies at Level 2 by allowing self assessments to demonstrate compliance.
Emphasis has also been placed on increasing the oversight of third-party assessors to ensure professional and ethical standards.
Increased Flexibility in Implementation
In an attempt to establish a more collaborative partnership, the DoD will now allow companies under certain circumstances to achieve certification by making Plans of Actions and Milestones (POA&Ms). These POA&Ms will require adherence to strict timelines. The CMMC will also now, in some cases, allow waivers for requirements.
CMMC 2.0 Timeline
These changes will be implemented through the rulemaking process. Companies that handle or access CUI will be required to comply once the rules go into effect. As with previous proposed versions of CMMC a public comment period will be in effect. The DoD considers stakeholder input critical to establishing effective cybersecurity standards.
The DoD announced that it intends to suspend the current CMMC Piloting efforts and will not require CMMC in DoD solicitations. Official estimates that final implementation of CMMC may take as long as 2 years.
CVG Strategy Can Help
CVG Strategy cybersecurity experts are here to help small business DoD contractors ready themselves for evolving CMMC requirements. We can assist your organization develop a tailored cybersecurity program and then perform the required assessments.
We understand that each business has a unique set of requirements that demand tailored solutions. Developing these solutions assessing an organization’s culture and involving all stakeholders. Using this information, we can develop programs that are effective and can adapt as a business grows.
Cyber Security Training