In a widely anticipated move, the Department of Defense (DoD) announced last week that it has revamped its Cybersecurity Maturity Model Certification (CMMC) program. Dubbed “CMMC 2.0,” the new version of the certification process allows for more self-assessment in lieu of third-party review, reduces the number of security levels from five to three and ties those levels more closely to existing cybersecurity standards, and suspends application of the program until the rulemaking process is finalized. Below we explore these changes in more detail, and also discuss implications for government contractors and subcontractors.
Key Changes Implemented in CMMC 2.0
In its revised CMMC website, the DoD highlights the changes made with the revised CMMC Model. Of particular note are the following:
- Reduction in Number of Levels and Necessary Practices and Processes for Compliance. CMMC 1.0 had five maturity levels, ranging from Level 1 (Basic) to Level 5 (Advanced). Level 1 had 17 associated security practices. The other levels had both required security practices and additional “processes,” which went far beyond the current National Institutes of Science and Technology (NIST) based security requirements. Level 5, for example, had 171 practices and five processes. In CMMC 2.0, the five levels are compressed into three: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). More importantly, the security requirements for Level 2 are now aligned with the 110 practices of NIST Special Publication (SP) 800-171, and the Level 3 requirements are aligned with NIST SP 800-172. Level 1 requires the same 17 basic security practices as before.
- Elimination of Third-Party Certification Requirement for Many Companies and Organizations. Under CMMC 1.0, all five levels required third-party certification. Now, Level 1 relies entirely on self-assessment, and entities seeking Level 2 certification can self-assess against the NIST 800-171 requirements unless those entities will have access to “critical national security information,” a term not presently defined by DoD. Level 3 will require external assessments in all instances. Interestingly, the DoD states that Level 3 assessments will only be conducted by the government, leaving a limited role for third-party assessors, who now only will conduct Level 2 certifications.
- Potential for Certification Even Where Compliance Gaps Exist. Under the original CMMC formulation, a company’s IT systems had to strictly comply with the applicable requirements in order to be certified. The new version has added an allowance, under certain circumstances, that would permit companies to use Plans of Actions and Milestones (POAMs) and to address minor defects post-certification. DoD, however, will identify certain requirements that will not be permitted to be placed on a POAM. CMMC 2.0 has also introduced a waiver process, permitting waiver of select CMMC requirements under limited circumstances to be determined in forthcoming rulemaking proceedings.
- No Legal Effect Until Formal Rulemaking Is Complete. DoD has made clear that contractors and subcontractors will not be held to CMMC 2.0 standards until such time as the DoD rulemaking under both Parts 32 and 48 of the Code of Federal Regulations (C.F.R.) is complete, i.e., until the DoD regulations are changed and a new DFARS clause implementing the change is issued. In response to an FAQ on the CMMC website, DoD estimates the timeline for such actions as between nine and 24 months. Current CMMC pilot projects have been suspended pending the new regulations. In the interim, DoD encourages the defense industrial base to continue to strengthen its cybersecurity posture. The DoD has also teased that it is contemplating a voluntary CMMC certification program under which it will provide some unidentified “incentives” to contractors that obtain the certification, but no details are yet available.
Significant Impacts for Contractors and Subcontractors
- Reduced Cost and Complexity for Compliance. The DoD seems to have taken to heart feedback from industry complaining about the cost and lack of clarity surrounding CMMC 1.0. Indeed, holding contractors to established NIST standards should come as a huge relief, particularly to contractors that are already bound by the NIST SP 800-171 standards as a condition of their DoD contracts, given their access to controlled unclassified information related to those contracts. The prospect of self-assessment will also save companies the expense of hiring third-party assessors, not to mention consultant fees for CMMC preparation. Finally, contractors that will seek Level 2 certification and that have completed a DoD Self-Assessment for purposes of the Supplier Performance Risk System (SPRS) will already have a clear roadmap to CMMC compliance.
- Possibility of Flexibility in Appropriate Circumstances. The potential for contractors to be able to use a POAM to address minor gaps while still achieving certification is welcome news. So, too, is the still as-yet-undeveloped waiver process for acquisitions involving “mission-critical requirements.” With the addition of these possibilities, the DoD has recognized the need for some degree of flexibility in the CMMC process, which was previously lacking.
- Potential Increased False Claims Act Exposure. Self-assessment could prove to be both a blessing and a curse for contractors, however. With third-party assessment, contractors could rely upon the assessment as proof of compliance. As companies assess their own compliance, however, there is risk of IT security teams interpreting requirements differently from the way a government or third-party assessor would. Moreover, while external assessments by the government and third parties are valid for three years, self-assessments must be completed annually and submitted together with an affirmation from a senior company official. Increasing the risk of improper or incomplete assessment, the DOJ has recently announced expanded and enhanced enforcement of non-compliance with cybersecurity requirements as part of a new False Claims Act task force. Contractors therefore must tread carefully to be certain that they are actually compliant with all applicable requirements, and that their statements to the government with respect to cybersecurity are accurate and complete.
At the end of the day, the changes to CMMC will and should be embraced by the contractor community and broader defense industrial base as evidence of the DoD’s recognition of the need to streamline the process, and to eliminate barriers to participation in DoD contracting. Of course, cybersecurity and cyber resilience are increasingly important in support of DoD programs. CMMC 2.0 strikes the right balance between the need to thwart would-be attackers seeking government secrets, and the need for contractors to have consistent, proportionate, and reasonable compliance obligations.