Say Hello to 2.0: DoD's Significantly Revamped "CMMC 2.0" Program for Defense Contractors
The Department of Defense (DoD) has announced major changes to its Cybersecurity Maturity Model Certification (CMMC) program for defense industrial base (DIB) contractors and subcontractors. The revamped program, called "CMMC 2.0," greatly reduces CMMC's reliance on third-party assessments, streamlines its compliance levels, more closely aligns to existing cybersecurity standards, and provides limited flexibility for contractors and subcontractors that may not meet certain requirements.
The release of CMMC 2.0 marks not only significant changes in the CMMC program's cybersecurity model but also in the timing of its implementation. DoD has been piloting CMMC with several DIB contractors and intended to start incorporating the program into some defense contracts this year.
In light of CMMC 2.0, DoD states that it will not incorporate CMMC into any contracts until it has completed rulemaking to implement the program. DoD expects the rulemaking process—which will include changes to both Part 32 (including DoD regulations) and Part 48 (including the Federal Acquisition Regulation (FAR) and Defense Acquisition Regulation Supplement (DFARS)) of the Code of Federal Regulations—to take between nine and 24 months.
A newly revised CMMC website describes changes to the program introduced by CMMC 2.0. Key changes include:
- Reducing the number of compliance levels from five to three.
CMMC originally had five compliance levels, 1-5, including "transitional levels" 2 and 4. CMMC 2.0 has three compliance levels.
- Level 1 (Foundational) is for contractors and subcontractors that handle only Federal Contract Information (FCI) as defined in the Federal Acquisition Regulation (FAR).1 The DoD estimates that about 140,000 such companies exist in the DIB.2
- Level 2 (Advanced) is required for contractors and subcontractors that handle Controlled Unclassified Information (CUI).3 The DoD estimates that about 80,000 companies handle CUI and about 40,000 of those handle CUI considered to be critical national security information.
- Level 3 (Expert) is for contractors and subcontractors that work on the most sensitive DoD programs. The DoD estimates that about 500 companies will need to comply with Level 3.
- Aligning CMMC with existing NIST cybersecurity standards.
CMMC 2.0 is more closely aligned with existing standards published by the National Institute of Standards and Technology (NIST). Previously, Levels 2, 3, 4, and 5 included various CMMC-specific cybersecurity requirements on top of existing NIST standards. In CMMC 2.0, Level 2 is aligned with NIST SP 800-171 and Level 3 is based on NIST SP 800-172. As before, Level 1 includes 17 practices enumerated in the CMMC program. - Allowing companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments.
Originally, CMMC required third-party assessments for all contracts at every compliance level. Possibly in response to significant industry concern about the potential costs and burdens of such assessments, CMMC 2.0 requires third-party assessments for only a limited subset of contractors and subcontractors:
- Level 1 and Level 2 contractors and subcontractors that do not handle critical CUI are required only to undergo a self-assessment. While self-assessments likely will be less expensive and onerous than third-party assessments, there's a catch: self-assessments must be performed annually, whereas third-party assessments were required only every three years.
Additionally, contractors and subcontractors should be vigilant when performing and reporting their self-assessments in light of the DOJ's Civil Cyber-Fraud Initiative, which intends to use the False Claims Act to enforce compliance with cybersecurity requirements in federal government contracts. - Level 2 contractors and subcontractors that handle CUI deemed to be critical national security information will be required to undergo triennial third-party assessments by a Certified Third-Party Assessment Organization (C3PAO), as they were previously.
- Level 3 contractors and subcontractors will be audited by an internal DoD division, the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center. These assessments will be required triennially.
- Level 1 and Level 2 contractors and subcontractors that do not handle critical CUI are required only to undergo a self-assessment. While self-assessments likely will be less expensive and onerous than third-party assessments, there's a catch: self-assessments must be performed annually, whereas third-party assessments were required only every three years.
- Allowing companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification.
In the original version of CMMC, contractors had to be fully compliant with the required CMMC level prior to being awarded a contract. Under CMMC 2.0, however, a contractor or subcontractor that does not meet certain CMMC requirements nonetheless may be able to receive contract awards if it has a POA&M in place to meet those requirements in the future.
- Adding waivers to CMMC requirements under certain limited circumstances.
Unlike the original version of CMMC, CMMC 2.0 allows waivers on a very limited basis in select mission critical instances, upon senior leadership approval.
DoD previously expected to incorporate CMMC requirements into all DIB contracts by 2026. That date is now in question given that DoD expects rulemaking to take up to two years before any requirements are incorporated into DIB contracts.
DWT will continue to monitor the development of the CMMC program, including the upcoming rulemaking process for changes to DoD and DFARS regulations.
FOOTNOTES
1 https://www.acq.osd.mil/cmmc/index.html.
2 DoD discussed CMMC 2.0 and how it expects various requirements to apply to different types of contractors at a recent town hall. See https://federalnewsnetwork.com/defense-news/2021/11/cmmc-2-0-could-take-as-long-as-two-years-to-come-online/.
3 CUI is "controlled unclassified information." "Controlled unclassified information" is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. 32 CFR 2002.4.