After months of internal study, the Department of Defense (DoD) has revealed its intention of updating the Cybersecurity Maturity Model Certification (CMMC) program. The following are the eight different strategic lines of thinking behind the DoD’s efforts to modify and expand the program.
Download our FREE eBook: CMMC Certification: How Contractors Can Adhere to New Privacy Standards
CMMC 1.0 is widely known for having limited supply chain visibility beyond Level 1 subcontractors, especially when it comes to the transfer and storage of controlled unclassified information (CUI). The proponents of the updates cited that the wording of CMMC 1.0’s regulations lacked focus on the true goals of the certification, which is to maintain and improve the security profiles of organizations handling such sensitive information.
CMMC 2.0's requirements are structured with a greater emphasis on the protection of information deemed vital to national security.
Many contractors and suppliers found CMMC Levels 2 and 4 confusing, as these tiers didn't serve much purpose in setting security standards. In fact, DoD insiders viewed these as merely transitional levels that were assigned to organizations that were moving toward higher maturity levels.
With the shift from five tiers to three tiers, CMMC 2.0 more clearly reflects the level of security that DoD expects from its contractors and suppliers.
In CMMC 1.0, the requirements for Levels 1, 3, and 5 were based on cybersecurity guidance from the Federal Acquisition Regulation and the National Institute of Standards and Technology (NIST). Levels 2 and 4, however, were unique to the CMMC program.
CMMC 2.0 aligns all three new maturity levels with existing cybersecurity standards. While Level 1 requirements remain the same, CMMC 2.0 level 2 is fully aligned with NIST SP 800-171's security criteria. Meanwhile, Level 3 adopts a subset of NIST SP 800-172, removing what was referred to as “practices” and “processes” in CMMC 1.0. These updates allow contractors to have an easier time aligning cybersecurity requirements with the CMMC tier they are graduating to.
In comparison to CMMC 1.0, complying with CMMC 2.0 is far less expensive since the assessment requirements were removed, hence eliminating the corresponding engineering and assessment cost estimates associated with Levels 1, 2, and 4.
There are also additional cost savings under CMMC 2.0 since DoD eliminated the CMMC-specific approaches and maturity requirements across all levels and allowed self-assessments for certain organizations.
Under CMMC 2.0, self-assessment is allowed for firms that do not handle information vital to national security (i.e., firms vying for Level 1 and a subset of Level 2). However, third-party evaluation is required for organizations aiming for the other subset of Level 2.
Those third-party evaluations will be conducted by CMMC Third Party Assessment Organizations or C3PAOs for now. Third-party evaluations for Level 3, on the other hand, will be done by government-led assessment teams from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center or DIBCAC.
The DoD will be shifting oversight of the entire CMMC 2.0 program from the Office of the Under Secretary of Defense for Acquisition and Sustainment to the DoD Chief Information Officer. CMMC 1.0 lacked safeguards to prevent some professional and ethical breaches, something that the DoD had to learn the hard way through a number of erring contractors and suppliers. CMMC 2.0 aims to raise the level of trust in the process by assigning oversight to a specialized office.
CMMC 1.0 is infamous for burning much of its early goodwill by eliminating the option to submit open Plan of Action and Milestones (POAM) items on assessment day. For example, the "most weighted" requirements will not be permitted to remain as a POAM.
Moreover, under CMMC 1.0, companies are only given up to 180 days to fulfill the required baseline quantity of criteria, while under CMMC 2.0, certain waivers may be given to adjust deployment schedules.
Under CMMC 1.0, a contractor may only be awarded a contract if they have the right certification. By contrast, CMMC 2.0 will allow contractors to obtain waivers of CMMC requirements for time-critical acquisitions. Such waivers may only be approved by senior DoD personnel and will have a limited duration. The DoD maintains that CMMC 2.0 will all but guarantee faster approvals of project-contractor matchings across the board.
CMMC 2.0 is set to make compliance more straightforward, so make sure all members of your organization have a good understanding of the updates. For any clarifications, as well as tech assistance to help your company meet CMMC 2.0 requirements, contact our experts at Charles IT!