BREAKING: Pentagon Unveils CMMC 2.0 Cybersecurity Plans
The Pentagon is launching a revamped version of its Cybersecurity Maturity Model Certification requirements, a far-reaching initiative with major implications for defense contractors.
The CMMC program is an effort to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The original CMMC cybersecurity standards were first unveiled in 2020 during the Trump administration. They included five different security levels that companies would have to achieve depending on the work they would be doing for the department for specific contracts.
During implementation, third-party assessor organizations would be tapped to conduct audits and certify that a company had met the required standards before it could win Defense Department contracts. Contractors were to be responsible for paying for the audits and their efforts to come into compliance.
The requirements were to be rolled out over time. By 2026, all Pentagon contracts were expected to include CMMC requirements. The rules would have affected more than 300,000 contractors in the vast defense industrial base.
However, after receiving pushback from companies that were concerned about the burdens and cost of implementation of CMMC, the Defense Department launched an internal review of the program earlier this year.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” Pentagon spokesperson Jessica Maxwell said in a statement to National Defense in April. “This assessment will be used to identify potential improvements to the implementation of the program.”
The internal assessment included senior leaders from 18 components across the department and was co-chaired by Mieke Eoyang, deputy assistant secretary of defense for cyber policy; David Frederick, executive director of U.S. Cyber Command; David McKeown, deputy chief information officer for cybersecurity; and Jesse Salazar, deputy assistant secretary of defense for industrial policy.
On Nov. 4, with the internal assessment completed, the Pentagon announced its plans for “CMMC 2.0.”
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Salazar said in a press release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
CMMC 2.0 maintains the program’s original goal of safeguarding sensitive information, but includes changes that are intended to simplify the standards, minimize barriers to compliance, provide additional clarity on regulatory, policy and contracting requirements, increase department oversight of “professional and ethical standards in the assessment ecosystem,” and improve the overall ease of execution, according to the release.
Key changes include a reduction in the number of security compliance levels from five to three.
Level 1, the “foundational level,” will include 10 cybersecurity practices and require affected contractors to conduct annual self-assessments, according to a Pentagon website outlining CMMC 2.0.
Level 2, the “advanced” level, will require 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171, also known as NIST SP 800-171.
Level 3, the “expert” level, will include 110 or more practices aligned with NIST SP 800-171.
Notably, all companies in the Level 1 category and a subset of companies in Level 2, will be able to conduct self-assessments rather than having to pay for third-party assessments. Other companies in Level 2 will have to undergo triannual third-party assessments, while all companies in Level 3 will have to undergo triannual government-led assessments.
Unlike the old model, CMMC 2.0 will allow for waivers to the cybersecurity requirements “under certain limited circumstances” for “selection mission-critical requirements.” Senior Pentagon leadership will have to sign off on waiver requests.
Additionally, the Defense Department plans to specify a baseline number of requirements that must be achieved prior to contract award but will allow companies to complete the remaining requirements at a later time in accordance with a “plan of actions and milestones,” or POA&M, that would need to be in place. CMMC 1.0 had no such provisions.
The CMMC 2.0 changes will be implemented after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement, following a public comment period.
“Stakeholder input is critical to meeting the objectives of the CMMC program, and the department will actively seek opportunities to engage stakeholders as it drives towards full implementation,” according to the website.
While the rulemaking is ongoing, the Pentagon plans to suspend its CMMC pilot efforts and will not include CMMC requirements in any contracts until the rulemaking efforts are completed, an effort which could take nine to 24 months, according to the Defense Department.
“The department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway,” according to the website. “The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.”
During rulemaking, the Pentagon plans to publish a “comprehensive cost analysis” associated with achieving each level of CMMC 2.0 compliance. Costs are expected to be “significantly lower” than projected for CMMC 1.0, according to the department.
Matthew Travis, CEO of the CMMC Accreditation Body that was set up to train and approve third-party assessors, applauded the revisions to the model, calling them “meaningful and compelling improvements to the implementation of CMMC.”
“The DoD … delivered on what the internal review set out to accomplish: clarifying the standard, reducing the cost burden, improving scalability, and instilling greater trust and confidence in the CMMC ecosystem,” he said in a statement.
However, the changes will create short-term challenges, he added, including curricula adjustments that training providers will have to make, and the time requirements associated for another round of federal rulemaking.
“But now that there is a definitive way forward, I hope all parties move with alacrity,” he said. “I am most encouraged by the department’s commitment to the interim program in which CMMC certifications will be authorized, incentivized and honored for those [defense industrial base] companies who elect to pursue certification before the formal CMMC mandate is codified. We want to get those started soon and I expect the market demand for CMMC certification to be significant.”
Topics: Cyber, Cybersecurity, Infotech, Defense Contracting
One Step Forward, Two Steps Back.... If the Navy owns a submarine, and they put it in drydock, they pay the dockmaster the rent. Or they own the dock outright. When the Air Force stores a jet fighter, they pay rent, or they buy the hangar.Andy at 1:37 PM
In no case does the Navy or Air Force tell the property owner, "give us the storage and security for free, and pay all your own associated costs, and maybe we'll give you a contract in the future if you do."
To be real clear: the DOD OWNS CUI. To then push both the responsibility and costs of the storage and handling of it to third parties, while expecting the "landlords" to eat the costs upon a promise of a potential contract later, is just not workable.
If the Fed Gov wants to carry out its Constitutionally-mandated obligations to secure the nation, then it has to understand *it* owns the CUI, and *it* dictates the controls and storage, and therefore *it* pays to have those controls and storage implemented, not the contractor.
Can we all agree that NONE of this makes sense? Because the DOD is trying to offload national security back on the people they are tasked with securing.
I am all in favor of making this simpler, while maintaining the integrity of the process, so it seems like a complete reliance on self-assessments is a mistake. This was tried before in some manner with the roll out of NIST 800-171. That was a failure. What would make sense is allow for self-assessments while at the same time mandate third party audits based on a sample set, the sample size based on a desire confidence level. This would mean a few thousand audits out of population of 100,000s. This is basic statistics.Mike at 11:42 AM