Yesterday, the Department of Defense ("DoD") announced Version 2.0 of the Cybersecurity Maturity Model Certification ("CMMC") Program. Notably, CMMC 2.0 maintains the original CMMC 1.X Program's goal of safeguarding sensitive information, while:

• Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;

• Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and

• Increasing Department oversight of professional and ethical standards in the assessment ecosystem.

Together with this announcement, DoD also updated its CMMC website to provide an overview of CMMC 2.0. Briefly, CMMC 2.0: (1) cuts red tape for small and medium sized businesses, (2) sets priorities for protecting DoD information, and (3) reinforces cooperation between the DoD and industry in addressing evolving cyber threats. The primary goals of CMMC 2.0 are:

• Safeguard sensitive information to enable and protect the warfighter

• Dynamically enhance DIB cybersecurity to meet evolving threats

• Ensure accountability while minimizing barriers to compliance with DoD requirements

• Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience

• Maintain public trust through high professional and ethical standards

To that end, some differences between CMMC 1.X and CMMC 2.0 are immediately noticeable. For example, CMMC 1.X included five Maturity Levels and required third-party certifications at each level. CMMC 2.0, on the other hand, removes the previous Levels 2 and 4, removes the maturity processes, and removes the excess practices from Level 3 to harmonize it with NIST SP 800-171. [1] With this new scheme, CMMC 2.0 will look like the following:

• Level 1 (Foundational) – 17 practices & annual self-assessment

• Level 2 (Advanced) – 110 practices of NIST SP 800-171 & triennial third-party assessments for "critical national security information" and annual self-assessments for select programs

• Level 3 (Expert) – Based on a subset of NIST SP 800-172 & triennial government-led assessments [2]

Interestingly, while CMMC 1.X required 100% compliance within a given Maturity Level, CMMC 2.0 will allow for covered systems under a plan of actions and milestones ("POA&M") to achieve certification "under certain limited circumstances." [3] And, while CMMC 2.0 will now allow self-assessments, defense contractors will also be required to include with that self-assessment an "an annual affirmation from a senior company official that the company is meeting requirements."

DoD's website indicates that CMMC 2.0 will be implemented through the rulemaking process – in both Part 32 of the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement – and that defense contractors will be required to comply once the forthcoming rules go into effect.

Takeaway

DoD's CMMC 2.0 program is a drastic change from CMMC 1.X, which many believed would be burdensome on small business and could deter innovation in the defense industrial base. Instead, it appears CMMC 2.0 may represent a substantially less burdensome cybersecurity regulation. Regardless, given the frequency with which nation-state threat actors and their proxies are targeting the defense industrial base (e.g., ransomware, etc.), contractors should continue to be vigilant and ensure that their cybersecurity programs not only provide reasonable safeguards but also adhere to all relevant regulatory requirements.

__________

[1] NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available at https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.

[2] NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, available at https://csrc.nist.gov/publications/detail/sp/800-172/final.

[3] In that regard, the DoD website provides that, "[t]he Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification."

. . .

#govcon #cmmc #cmmc2