For nearly two years, we have been reporting on this blog about the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program. CMMC is a training, certification, and third-party assessment program designed to protect federal contract information (FCI) and controlled unclassified information (CUI) shared by DoD with its contractors and subcontractors through federal acquisition programs.
On November 4, the DOD announced that CMMC 2.0 would replace CMMC 1.0. The announcement was followed by a publication in the Federal Register of a summary of DOD’s CMMC 2.0 plans, which explains that the changes will be implemented through the notice and comment rulemaking process, proposing revisions/additions to titles 32 and 48 of the Code of Federal Regulations.
The decision was driven in large part by the more than 850 public comments submitted to the DoD in response to the CMMC 1.0 interim DFARS rule released on September 29, 2020, focusing on the need to enhance CMMC by doing the following, according to CMMC Frequently Asked Questions:
- Reducing costs, particularly for small businesses.
- Increasing trust in the CMMC assessment ecosystem.
- Clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards.
The new program design meets the preceding goals and is intended to significantly reduce the regulatory burden on companies in the Defense Industrial Base (DIB). CMMC 2.0 updated regulations will also protect companies in the DIB from increasingly frequent and complex cyberattacks. To achieve the foregoing, CMMC 2.0 is intended to do the following:
- Cut the red tape for small and medium-sized businesses.
- Set priorities for protecting DOD information.
- Reinforce cooperation between the DOD and industries addressing cyber threats.
How is CMMC 2.0 Different from CMMC 1.0?
The comprehensive updated framework of CMMC 2.0 is different from CMMC 1.0 in three key aspects. First, CMMC 2.0 reduces the number of cyber-security levels from the five proposed in CMMC 1.0 to three new, consolidated levels:
- Level 1, Foundational: Applies to most DIB companies and requires compliance with the basic cyber hygiene requirements specified in FAR 52.204-21.
- Level 2, Advanced: Applies to DIB companies that receive CUI. This level is equivalent to NIST SP 800-171, a framework for protecting CUI on nonfederal systems. The DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS 252.204-7012.
- Level 3, Expert: Is under development. But it will be based on a subset of NIST SP 800-172 requirements. Level 3 DIB companies are likely exposed to the most sensitive and high-risk DOD projects.
Second, unlike CMMC 1.0, CMMC 2.0 allows for self-assessments. DIB companies under CMMC 2.0 Level 1 can perform annual self-assessments and affirm compliance with the requirements. The benefit of a self-assessment is the reduced burden and expenditure of time and resources on compliance.
Companies falling under CMMC 2.0 Level 2 will be exposed to bifurcated requirements. Part (a) requires DIB companies working on prioritized acquisitions to obtain an independent assessment, and part (b) requires DIB companies working on non-prioritized acquisitions to complete annual self-assessments and affirmations. The D0D has not yet announced how it will prioritize such acquisitions, and until the DOD releases such information, one anticipated issue is the subjectivity associated with self-assessments. The standards for the self-assessment may be deliberately vague, confusing, and even too complex to be properly administered without a neutral third-party evaluation. However, subjectivity may be preferred over the alternative of over 300,000 contractors awaiting certification by a third party.
Third, CMMC 2.0 allows for the continued use of a plan of action and milestones (POA&M). DIB companies will be required to submit a POA&M for cyber practices and processes that it does not yet meet. Thus, companies demonstrating clear compliance plans for meeting the requirements associated with the respective CMMC 2.0 level can be permitted to continue work on that DOD acquisition.
The CMMC 1.0 interim DFARS rule established a five-year rollout plan that required all DIB contractors be compliant with CMMC 1.0 by September 30, 2025. Under this prior plan, CMMC compliance was intended to be required in select pilot contracts and full third-party assessments were only to be administered on the contracts selected by the Secretary of Defense for Acquisition and Sustainment (USD (A&S)).
With the introduction of CMMC 2.0, DOD has suspended its CMMC pilot programs and will not include CMMC requirements in any contracts until the rulemaking process is complete. Contractors can anticipate that process to take 9-24 months. Further, the full models for Levels 1 and 2, along with the Assessment Guides for those Levels, will be posted in the near future on DOD’s CMMC website. As noted above, Level 3 is still under development and will be posted when complete. While CMMC implementation is on hold until the CMMC 2.0 rulemaking process is complete, DOD encourages contractors to evaluate and harden their cyber-security.
Once completed, contractors and subcontractors are likely to qualify for the same level of CMMC if handling the same type of FCI and CUI. But if the prime contractor flows down select information, a lower CMMC level may apply to the subcontractor.
The DOD will have access to the information and data derived from the DIB companies’ assessments. Self-assessment data will be stored on the Supplier Performance Risk System (SPRS) and third-party assessment data will be stored on CMMC Enterprise Missions Assurance Support Services (eMASS). According to the frequently asked questions, CMMC eMASS data will automatically be saved onto SPRS and will not be made public.
Finally, as many commentators have noted, compliance with the CMMC requirements presents potential False Claims Act risk. The recently established Department of Justice’s Civil Cyber-Fraud Initiative will focus on pursuing government contractors and grant recipients that fail to comply with cybersecurity standards.
The authors would like to thank our intern Ustina Ibrahim for her valuable contributions to this article.