The U.S. Department of Defense (DoD) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 17, 2021 which previewed significant changes to its Cybersecurity Model Certification (CMMC). The changes will take effect in 9 to 24 months from November. CMMC 2.0 represents DoD’s response after an internal review prompted by over 850 public comments to the […]
The U.S. Department of Defense (DoD) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 17, 2021 which previewed significant changes to its Cybersecurity Model Certification (CMMC). The changes will take effect in 9 to 24 months from November.
CMMC 2.0 represents DoD's response after an internal review prompted by over 850 public comments to the September 2020 "CMMC 1.0” interim rule. While changes are in progress, the DoD will not include CMMC requirements in its solicitations. Contractors are advised to continue to follow the current cybersecurity "assessments framework," which focuses on compliance with National Institute of Standards and Technology's (NIST) Special Publication (SP) 800-171 controls and the Basic Assessments required.
The revised program structure and requirements were created to meet the goals of the internal review.
The Cybersecurity Maturity Model Certification (CMMC) program protects sensitive, unclassified information shared by the Department with contractors and subcontractors by enhancing the cyber protection standards of companies. It integrates requirements into acquisition plans and gives the DoD greater confidence that subcontractors and contractors are in compliance. The three key features of the framework are:
CMMC 2.0 will replace CMMC 1.0's five-level model with three levels of progressively increasing cybersecurity requirements. Each level is keyed to independent standards (e.g. Federal Acquisition Regulation (FAR), NIST requirements). The new model also increases third party assessor oversight and eliminates CMMC-unique practices and "maturity" requirements.
More Speed and Flexibility - Allows waivers of CMMC requirements and lets companies create Plans of Action & Milestones to obtain certification under certain circumstances.
Less Expensive - Allows all Level 1 (Foundational) and a subset at Level 2 (Advanced), to show compliance through self-assessments.
Streamlined Requirements - CMMC 2.0 focuses on the most critical requirements, reducing the model from 5 to 3 compliance levels.
Use of Widely Accepted Standards - The model now uses National Institute of Standards and Technology's (NIST) cybersecurity standards and removes CMMC-unique practices.
More Accountability - Increases oversight of professional and ethical standards of third-party assessors.
These are the new requirements for tiered entry in the three-level model:
Level 1 must match the same 15 controls as FAR52.204-21 "basic" controls to protect Federal Contract Information. There are annual certifications and self-assessments by company leadership. This is essentially the same as the previous model.
CMMC 2.0 Level 2 is based upon the old CMMC 1.0 Level 3. However, the new Level 2 CMMC control lowers the number of required controls to 110 controls in the SP 800-171 Revision. 2 (NIST SP 800171). This eliminates 20 additional CMMC 1.0 Level 3 controls.
There will be a division between "prioritized" and "nonprioritized" acquisitions based on the sensitivity of information involved. An example of a prioritized acquisition might be one that includes Controlled Unclassified Information (CUI) related to weapons systems. A nonprioritized acquisition might include CUI regarding military uniforms. Details about prioritization will be released in future rulemakings.
Prioritized acquisitions will need an independent third party assessment (C3PAO) every three years. Nonprioritized acquisitions only require an annual self-assessment and certification.
Level 3 of CMMC 2.0 will replace Levels 4 and 5 in CMMC 1.0.
Most importantly, acquisitions at the new Level 3 "Expert" level will require triennial government-led assessments. In addition to the 110 controls that are required for the new Level 2 certification, Level 3 certification will require compliance with NIST’s SP 800-172.
Cyberattacks on the Defense Industrial Base (DIB), are becoming more frequent and more complex. Therefore, cybersecurity is a priority for the Department of Defense. The DoD created the CMMC program in order to protect American ingenuity as well as national security information. Its purpose is to improve DIB cybersecurity to better meet evolving threats and safeguard the information that supports and enables warfighters.
The DoD encourages contractors to improve their cybersecurity posture during this transition. To assist DIB companies in assessing their cybersecurity readiness and implementing sound cybersecurity practices, the Department created Project Spectrum.
As rulemaking is underway, the Department plans to suspend current CMMC efforts and will not approve CMMC requirements being included in DoD solicitations.
Once the rules become effective, companies will have to comply, and the rules will be open for public comment. The DoD says it will seek out opportunities to engage stakeholders as it moves towards full implementation as participation by stakeholders is crucial to achieving the goals of the CMMC program.
