Major changes are underway for the Cybersecurity Maturity Model Certification (CMMC) program. Previewed in an Advanced Notice of Proposed Rulemaking on November 4, 2021, the revamped program is called “CMMC 2.0”. This new certification model promises to streamline compliance for defense contractors and their suppliers, specifically by cutting the red tape, clarifying cybersecurity regulatory and policy requirements, and simplifying the existing CMMC levels and standards. It also provides some degree of flexibility for contractors and subcontractors that may not meet certain CMMC requirements.
Notably, CMMC 2.0 comes with strategic changes that allow for it to be better aligned with other federal cybersecurity frameworks, like the Federal Information Security Management Act, instead of having completely unique requirements. For instance, CMMC 2.0 has removed Levels 2 and 4 compliance, as these have practices and maturity processes unique to the CMMC program.
The Department of Defense (DoD) states that it will not be using CMMC 2.0 as a basis of evaluation until the rulemaking necessary to implement the program has been completed. With changes to both Part 32 (DoD regulations) and Part 48 (Defense Acquisition Regulation Supplement) of the Code of Federal Regulations, CMMC 2.0 is expected to be implemented within the next 9 to 24 months.
The DoD has suspended its current CMMC pilot programs, and contractors are advised to be compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls. But this doesn’t mean that they shouldn’t start preparing for the CMMC 2.0 rollout as soon as they can.
What are the big changes in CMMC 2.0?
The changes in CMMC are designed to ensure better accountability in implementing cybersecurity standards while minimizing challenges to achieving compliance. Here are three key changes in CMMC 2.0 that contractors and subcontractors must know:
1. A 3-tiered model instead of 5
A three-tiered model of cybersecurity requirement in CMMC 2.0 will replace the five-level model of CMMC 1.0. Each level in CMMC 2.0 is matched with independently established standards, such as NIST and Federal Acquisition Regulation (FAR) requirements. The new model will also reduce dependence on third-party assessors while eliminating CMMC-unique practices.
The tiered requirements for CMMC 2.0’s new three-level model are as follows:
Level 1 (Foundational) – Level 1 in CMMC 2.0 is similar to Level 1 of the CMMC 1.0 model. It requires annual self-assessments and certifications as well as the same 17 practices derived from FAR 52.204-21, which stipulates basic cyber hygiene necessary to protect federal contract information (FCI).
Level 2 (Advanced) – Level 2 in CMMC 2.0 mirrors Level 3 of the previous CMMC model. It is divided into two categories, namely, prioritized acquisitions and non-prioritized acquisitions. The bifurcation is based on the sensitivity of controlled unclassified information (CUI) involved; for instance, CUI related to weapons systems will fall under prioritized acquisitions, whereas CUI related to military uniforms will fall under non-prioritized acquisition.
The assessment requirements of these two categories differ greatly. While prioritized acquisitions will require triennial assessments from a certified third-party assessing organization (C3PAO), non-prioritized acquisitions only require an annual self-assessment.
The new CMMC 2.0 Level 2 has 110 practices — down from 130 practices of the CMMC 1.0 model — all of which are aligned with NIST SP 800-171 controls.
Level 3 (Expert) – Level 3 in CMMC 2.0 is designed to replace Levels 4 and 5 of the previous model and is fully aligned with NIST standards. It will require government-led assessments every three years, as opposed to assessments by C3PAOs. And on top of the 110 controls required for Level 2 certification, Level 3 will require compliance with the NIST SP 800-172 controls.
2. More flexible assessment requirements
Under CMMC 2.0, the DoD will allow all companies at Level 1 and a subset of companies at Level 2 to conduct annual self-assessments — but only after they are given an affirmation by the Defense Industrial Base. This means organizations that handle only FCI and do not touch CUI will be rid of some of the burdens and costs associated with third-party assessments of cybersecurity standards implementation.
3. POAMs and waivers
Upon the implementation of CMMC 2.0, the DoD will allow some companies that handle sensitive unclassified DoD information to satisfy compliance requirements via plans of action and milestones (POAMs) in lieu of actual compliance. In limited circumstances, contractors or subcontractors can be awarded contracts while they make progress toward full compliance.
However, contractors or subcontractors seeking to meet CMMC 2.0 requirements through a POAM should achieve a minimum threshold score. They must also complete POAMs within 180 days of being awarded a contract. Should they fail to implement all the controls within that time, a contracting officer may terminate the contract. Moreover, the DoD will not accept POAMs for “highly weighted” controls.
In addition to POAMs, waivers for particular mission-critical projects will also be introduced in the new CMMC model. Note, however, that these waivers may only be approved by senior DoD personnel and are strictly time-bound.
CMMC 2.0 promises significant changes in the original program's cybersecurity model and implementation. Make sure your IT infrastructure is prepared for these revamped rules. Talk to a CMMC expert at Charles IT today!