Last Updated on November 15, 2021
The US Department of Defense (DoD)’s move from CMMC 1.0 to CMMC 2.0 has thus far been seen in a positive light by industry leaders and businesses in the US defense industrial base (DIB). Reduced emphasis on audits, a cut in the number of mandated controls, the reinstatement of POA&Ms, etc. are being widely touted as a relaxation of requirements that will make life easier (and less costly) across the defense supply chain.
But is this “relaxed” view the reality? Or is CMMC 2.0 really a call to action that will likely move the DIB’s cybersecurity posture forward at an accelerated pace, with the core requirements of the original CMMC program essentially unchanged?
Further, what do recent US government stratagems—from the cybersecurity executive order to the Justice Department’s cyber fraud initiative to new rulemaking within the overarching Code of Federal Regulations (specifically 32 CFR and 48 CFR)—foreshadow for government suppliers in general?
To provide practical insight on what government contractors both within and outside the DIB really need to understand about CMMC 2.0, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special episode of The Virtual CISO Podcast. The show also features two of Pivot Point’s top GRC advisors: Caleb Leidy, CMMC Consultant/Provisional Assessor and George Perezdiaz, CMMC/NIST Security Consultant.
The New CMMC Level 2
With CMMC 2.0, the five levels from CMMC 1.0 have been simplified to three levels. The new CMMC Level 2 corresponds to the former Level 3, and mandates essentially the same controls and other requirements that have been in place since 2016 with NIST 800-171 and DFARS 7012. The interim rule DFARS clauses 7019 and 7020 are also still in play, though DFARS 7021 is probably due for an overhaul since it relates to rolling out the superseded CMMC 1.0.
What’s different now for DIB orgs that handle CUI? At the new CMMC Level 2, there is no longer a requirement to implement the additional 20 controls specified in the CMMC 1.0 standard. Likewise, the 51 “process maturity” requirements are no more. NIST 800-171 compliance is now (again) the target. Indeed, this has always been the standard for safeguarding CUI in the eyes of the federal government overall, per the National Archives and Records Administration (NARA), which has authority over the CUI program. The assessment standard for NIST 800-171 compliance is now (again) straightforwardly NIST 800-171A.
“I think that [primacy of NIST 800-171] was neglected in the foresight of DoD when they started rolling out CMMC 1.0, and that was caught during the review and now it’s been pulled back,” says Caleb.
“We’re back down to exactly where we started before CMMC 1.0,” John notes. “It’s basically, NIST 800-171 is the standard that protects CUI from the US government’s perspective. Now CMMC is perfectly aligned with NIST 800-171, and the audit program will be perfectly aligned with NIST 800-171A.”
Do we still need an audit?
The so-called “bifurcation” change within CMMC 2.0 divides DIB orgs handling CUI into two camps—those with “critical” CUI that still must undergo third-party audits, and those whose CUI is less sensitive and doesn’t warrant an audit. But since the impact level for all CUI is defined as Moderate, it’s unclear where further risk assessment will draw the line. Preliminarily, firms working on weapons systems, command & control systems and possibly communications systems are thought to be subject to audits under CMMC 2.0.
“I think a lot of folks are thinking they’re going to get out of the independent assessment piece,” Caleb observes. “I don’t think that’s the case.”
Another current unknown is what those audits will look like and what their goal will be. Instead of a “go/no-go” certification audit per CMMC 1.0, DIB orgs at CMMC Level 2 may instead undergo an independent assessment through a C3PAO for compliance with NIST 800-171, with the results (possibly in the form of scores) going to DoD.
What about POAMs?
Another big change with CMMC 2.0 Level 2 is the reinstatement of Plans of Action & Milestones (POAMs). The window for POAMs will be 180 days.
“Caleb and I have always said that POAMs are inevitable in a NIST 800-171 environment if you’re managing it correctly,” George asserts. “Now you can have POAMs and still receive a certification, as long as those POAMs are not for big-ticket items like your encryption, your incident response or your training; and, of course, your MFA and others.”
CMMC 2.0 also temporarily allows for “waivers” for the entire CMMC requirement (not just individual controls) under limited circumstances relating to “acquisitions for select mission critical requirements.” While details are TBD subject to the CFR rulemaking process, a waiver basically means that you can begin executing on a contract before you undergo a third-party audit or self-attest to NIST 800-171 and DFARS compliance.
What do the changes mean for my business?
The bottom line for DIB orgs at CMMC Level 2 (those that handle CUI) is:
- You’re still on the hook for compliance with NIST 800-171 and the specific DFARS clauses in your contract(s). But you can forego the 20 additional controls in CMMC 1.0 if you so choose.
- You may be able to save money if you no longer need an initial certification audit, or a recertification audits every three years. But that is TBD for many companies and will definitely not be the case for many others.
- If your business is exempted from a third-party audit, a senior executive will need to personally sign off on your self-attestation. Given the particulars of the US Department of Justice (DoJ)’s recent Civil Cyber-Fraud Initiative, which underscores that the False Claims Act can be brought to bear against individuals as well as corporations, that could potentially “energize” your security program just as much as an audit.
To hear the complete episode on CMMC 2.0 with John, Caleb and George, click here: EP#71 – Caleb Leidy & George Perezdiaz – CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors – Pivot Point Security
For more thought leadership on CMMC 2.0 and what defense suppliers need to pay attention to, we recommend this recent post: