Last Updated on November 8, 2021
Here’s what just happened: On the morning of November 4, 2021, the Federal Register published Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward. Within about an hour, the document was withdrawn and a message stating, “An agency letter requesting withdrawal of this document was received after placement on public inspection” was published in its place. Shortly after, the Office of the Under Secretary of Defense – Acquisition & Sustainment released CMMC 2.0 via their website here: OUSD A&S – Cybersecurity Maturity Model Certification (CMMC) (osd.mil)
For months, the Defense Industrial Base (DIB) and information security practitioners have patiently waited for an update from DoD related to “CMMC 1.0” (as we’re calling it now). During this time, forward leaning and proactive organizations have been preparing for CMMC 1.0 by conducting readiness assessments, updating policies and procedures, and spending time and money to meet the strict but subjectively effective CMMC 1.0 controls. This effort will not be wasted, if only because improving information security management practices is inherently a great idea that every organization should embrace.
Most importantly, here’s the bottom line:
Any organization, not just in the DIB, contracting for the US government should ensure documented compliance for protecting CUI and FCI as outlined in 32 CFR Part 2002 and 48 CFR Chapters 1 and 2, respectively. This can be accomplished via the implementation of security requirements in NIST 800-171, or the Basic Security Requirements identified therein.
In my opinion, CMMC 2.0 was a strategic decision aligned with broader and enforceable Department of Justice civil cyber-fraud compliance initiatives to enforce cybersecurity standards and reporting requirements via the False Claims Act. DoJ has stated they will not limit enforcement to entities; individuals also can be held accountable for cybersecurity-related fraud. (Watch what you sign, people.)
Under the False Claims Act, penalties for such violations could be substantial. CMMC 2.0 will require annual affirmation from a senior company official (CISOs beware) that the company is meeting the requirements. The DoD, and I believe ultimately all the US government, will or will continue to require its contractors to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS) and, in my opinion, a future non-DOD equivalent.
Remember, CMMC 1.0 was a 5-year plan aimed at impacting the DIB, while CMMC 2.0 has the potential to impact and require compliance from a broader set of US government contractors in 9 to 24 months via modification to 32 CFR and 48 CFR.
Summary of Recent Events
Per the Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward (WITHDRAWN):
Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the Department will suspend the CMMC Piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations.
The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.
What We Know about CMMC 2.0
The enhanced CMMC 2.0 program is described as maintaining the original goals and objectives to protect sensitive information (great!). It also aims to simplify and clarify the CMMC standard, focus on companies supporting the highest-priority programs, and increase oversight of ethics and standards in the ecosystem (wonderful!). Also, CMMC 2.0 only has 3 increasingly progressive levels, whereas CMMC 1.0 had 5, and is aligned with NIST 800-171 and NIST 800-172 (awesome!).
CMMC 2.0 also allows for flexible implementation (nice!), enabling companies to receive contract awards with a Plan of Actions & Milestones (POA&Ms), with a caveat that the highest-weighted requirements must be met, and an as-yet-undefined minimum score must be achieved (completely reasonable!). CMMC 2.0 also allows limited waivers to select, non-mission critical requirements, but will require senior leadership approval and a justification package to include timelines and identified risks (makes sense!). In short, this could actually work…
In addition, CMMC 2.0 will become a contract requirement once rulemaking is completed (d@#n!), and the DoD “intends to pursue” (I’m not a fan of the word “intends” but I get it) rulemaking in both 32 CFR and 48 CFR. The rulemaking process and timelines can take 9-24 months… That’s pushing 2024, another presidential election and potentially another political appointee at the helm. But, okay, it sounds like a reasonable plan.
Why I’m Optimistic
All kidding aside, changes to CMMC 1.0 were needed, as it was never going to be achievable for the estimated 300,000 DIB contractors. It more than likely would have resulted in many SMBs being unable to participate in DoD contracts and/or organizations fudging System Security Plans (SSPs) just to get their foot in the door. CMMC 2.0 will allow companies associated with the new Foundational/Level 1 (same as the previous CMMC Level 1) and “some” Advanced/Level 2 (equivalent to the previous CMMC Level 3) organizations, based on a priority rating identified by DoD in a RFI or contract and presumably associated with Defense Priorities and Allocations System (DPAS) provisions, to perform self-assessments rather than require third-party attestations. The “Expert” level/Level 3, currently under development, will be based on a subset of the NIST 800-172 requirements.
In addition, CMMC-unique practices and maturity processes will be eliminated. That should help reduce the impact of assessor subjectivity, which looked like it could be a significant problem. The changes to CMMC 2.0 will also reduce cost for SMBs (had to happen!), increase trust in the CMMC assessment and ecosystem (maybe?) and clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards (bravo!).
Plus, don’t forget, under the Executive Order on Improving the Nation’s Cybersecurity, the government plans to release several new FAR clauses applicable to contractors that will standardize cybersecurity rules across agencies. In theory, while painfully slow, CMMC 2.0 can rationalize the assortment of agency-specific policies, regulations, and contract clauses to provide a consistent approach to contractor cybersecurity standards and reporting requirements for the entire US government.
The next six months should be interesting, to say the least.