Enhancements & Changes to the Cybersecurity Maturity Model Certification (CMMC) & What This Means for You
You may or may not be aware that recently the U.S. Department of Defense (DoD) Office of the Under Secretary of Defense and Sustainment announced version 2.0 of the highly publicized Cybersecurity Maturity Model Certification (CMMC). This announcement happened on November 4, 2021 in a press release from the DoD.
In part one of this CMMC blog series, we’ll cover exactly what these changes and enhancements entail, what you need to know, and why you should care.
But before we dive in…let’s start with the basics.
What is the CMMC (Cybersecurity Maturity Model Certification)?
The Cybersecurity Maturity Model Certification is a unified standard for implementing cybersecurity across the defense industry base (DIB), which includes more than 300,000 companies in the supply chain. The CMMC is the DoD’s response to significant compromises of sensitive defense information located on contractors’ information systems.
Prior to the DoD releasing version 1.0 in January 2020, contractors were responsible for implementing, monitoring, and certifying the security of their information technology systems and any sensitive DoD information stored on, or transmitted by, those systems. While contractors are still responsible for implementing critical cybersecurity requirements, the CMMC has made it so that now contractors are required to have third-party assessments of their compliance with certain mandator practices, procedures and capabilities that can adapt to new and evolving cyber threats.
Originally, the CMMC was launched due to concerns about widespread exfiltration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the DIB. It is built upon the already established DFARS Cyber Rule, which requires contractors to maintain ‘adequate security’ on all covered contractor information systems and makes it so that they must report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours.
The main difference between the CMMC and DFARS is that the DFARS Cyber Rule relied on contractor self-certification of compliance and CMMC 1.0 enforced contractor cybersecurity compliance by gradually requiring all DIB contractors to obtain an appropriate level of cybersecurity certification through the above-mentioned third-party assessment organizations. Without this, contractors are not able to receive a DoD contract.
What’s New in CMMC Version 2.0?
Now that the CMMC has released version 2.0, there are some changes you should be aware of. This updated version aims to simplify the model and reduce compliance costs by streamlining the program and scaling back the requirements that all defense contractors obtain third-party certification for their cybersecurity capabilities.
Under CMMC 2.0, contractors that are not yet in full compliance with applicable cybersecurity requirements will be permitted to perform less-sensitive contracts if they make a Plan of Action & Milestones (POA&M) and commit to completing the remaining requirements at later specified dates.
The Reason for the Recent CMMC Changes
The DoD released several draft versions of CMMC before finally publishing the formal CMMC 1.0 announcement as an interim rule to the DFARS back in September 2020. The Interim Rule was meant to relieve anxieties over compliance by phasing in the new requirement over a five-year period.
However, the Interim Rule garnered over 850 comments and criticisms from the industry because of several issues:
- Complexity of the framework;
- Imposition of CMMC-unique requirements that did not align with NIST standards;
- High cost of obtaining third-party certification; and
- An inadequate number of C3PAOs would create an accreditation backlog.
Even though the Interim Rule stated that the certification requirements would be rolled out over a five-year period, it became evident that even this timeline was unrealistic due to the sheer size of the DIB.
CMMC 2.0 Streamlines & Improves the Previous Model
As a result of the backlash received for CMMC 1.0, the CMMC 2.0 enhancements aim to streamline and improve the model by removing the CMMC-specific practices and all maturity processes from the CMMC model.
It also reduces the number of maturity levels from five to three, and each of these new levels is aligned with existing standards (shown below):
- CMMC 2.0 Level 1 is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.
- CMMC 2.0 Level 2 is aligned with NIST SP 800-171 (and requires compliance with FAR 52.204-21).
- CMMC 2.0 Level 3 is aligned with NIST SP 800-172 (and requires compliance with FAR 52.204-21 and NIST SP 800-171).
In addition, CMMC 2.0 scales back the requirements to obtain third-party certification and partially reverts back to reliance on contractor self-certification.
How Do These Changes Effect You?
According to the DoD, CMMC 2.0 will be implemented through the rulemaking process in both Part 32 of the Code of Federal Regulations (CFR) and in the DFARS in CFR Part 48. All of these changes will be subject to public comment and as a result, it is highly unlikely that another Interim Rule will be published for at least another year.
While we continue to keep an eye out for these changes, this is how you can prepare; the DoD intends to suspend the current CMMC Piloting efforts and will not approve the inclusion of a CMMC requirement in any DoD solicitation. However, the DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.
In the short term, the release of CMMC 2.0 will ease contractor compliance concerns about third-party certification. However, all DIB contractors will continue to be bound by the DFARS Cyber Rule as well as the self-assessment requirement introduced under the Interim CMMC Rule.
Stay tuned for part two of this blog series where we discuss how CollabPoint can help position you to be able to meet, and certify for, the new CMMC requirements.
If you have any questions about how to prepare your organization for CMMC 2.0 get in touch with our CMMC & GCC High Experts at email@example.com.