On November 4th, 2021, the Department of Defense (DoD) announced CMMC 2.0, which includes major changes to the CMMC program. Here is a summary of the key changes:
- CMMC 2.0 has only 3 Maturity Levels, compared to 5.
- For Maturity Level 2 in CMMC 2.0, there are now only 110 controls, which are completely based on NIST 800-171. The additional 20 controls for Maturity Level 3 in CMMC 1.0 have been removed.
- For Maturity Level 2 in CMMC 2.0, organizations will be required to perform either tri-annual third-party assessments, or annual self-assessments, depending on the DoD program.
- For Maturity Level 1 in CMMC 2.0, self-assessments must now occur annually.
- Until CMMC 2.0 rulemaking is finalized, all DoD contractors must still complete a self-assessment based on NIST 800-171, and the self-assessment scores must be uploaded to the DoD Supplier Performance Risk System (SPRS). The requirement for this deadline was November 30, 2020.
While it might seem that the Cybersecurity Maturity Model Certification (CMMC) standards are relatively new and fresh, there are already recent changes on their way that are significant enough to warrant a CMMC version 2.0.
The changes in CMMC 2.0 versus 1.0 are intended to streamline the process for businesses seeking a Department of Defense (DoD) contract. Specifically, CMMC 2.0 aims to:
- Simplify the CMMC standard and offer more clarity on the requirements
- Reserve advanced cybersecurity standards for highest priority programs
- Raise oversight professional/ethical standards for assessments
The result is:
- Solidifying accountability while reducing barriers to compliance
- Creating a collaborative culture regarding cybersecurity
- Boosting public trust in the CMMC
- Making execution easier
The government is rightly hyper-aware of areas where it should strengthen cybersecurity for companies in the Defense Industrial Base (DIB).
Due to data breaches that leaked Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), businesses that want to hold contracts with the DoD need to demonstrate that they are compliant or working towards compliance with CMMC 2.0 standards.
The CMMC Structure
There are three features to the CMMC structure. They won't change in the move from CMMC 1.0 to 2.0, so it's helpful to go over them:
A Tiered Model
There are different security tiers depending on security requirements for the information being processed. Each contractor will need to submit to the requirements outlined in the level of CMMC security they need to reach.
The DoD will assess the cybersecurity measures put in place by their contractors.
Implementation Through Contracts
To be awarded a contract, DoD contractors will have to achieve one of 3 (formerly 5) levels of security.
History of the CMMC
In 2019, the DoD announced it would implement new measures to protect sensitive data used and shared by contracting businesses. Katie Arrington, former Chief Information Security Officer (CISO) for Acquisition and Sustainment (A&S) at the DoD, delivered a presentation in June 2019 titled, “Securing the Supply Chain.”
In this presentation, she outlined the National Institute of Standards and Technology (NIST) 800-171 guidelines that businesses should be, but to a large degree, were not implementing.
An interim rule published on September 29th, 2020 and made effective on November 30th of the same year authorized the inclusion of CMMC in DoD contracts. This rule was called the Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041.
Companies wishing to engage in business with the DoD had to begin adding the new cybersecurity protocols, which would become mandatory in all contracts by 2026.
Feedback Creates Changes
In March 2021, the DoD conducted a review of how the CMMC had been implemented thus far. They received 850 public comments regarding the interim rule, detailing contractors' practical concerns about how businesses would follow the rules.
The DoD listened to these criticisms and enacted changes to the CMMC structure to reduce the burden on current and potential contractors. As a result, CMMC 2.0 has replaced the old version, now known as 1.0. In November of 2021, the DoD announced that they had made changes and dramatically altered the CMMC.
The new streamlined model reduces the amount of red tape for small to medium businesses, establishes priorities for defending secure information, and stresses cooperation between DoD and contracting companies in facing cyber threats.
One of the most drastic changes to the CMMC is the new Streamlined Model that eliminates two levels of implementation, dropping from the original five to a more manageable three. The initial five levels were:
- Level 1: Basic
- Level 2: Intermediate
- Level 3: Good
- Level 4: Proactive
- Level 5: Advanced
The three levels under CMMC 2.0 are:
- Level 1: Foundational
- Level 2: Advanced
- Level 3: Expert
Originally, the DoD meant levels 2 and 4 to be transition stages, so this new framework does away with them. The original model's levels 1, 3, and 5 are the new 1, 2, and 3, respectively.
CMMC 1.0 required maturity processes at each level, which is gone from 2.0. Also gone are CMMC's unique practices, and instead, 2.0 will rely on NIST standards. Specifically:
- Level 2 (Advanced): 110 security practices from NIST SP 800-171
- Level 3 (Expert): Based on a subset of NIST SP 800-171 guidelines
The point of CMMC is still to defend FCI and CUI. According to Federal Acquisition Regulation (FAR) 4.1901, FCI is not intended for release to the public but is information given by or created by the government regarding a product or service that a contractor is building for the government.
On the other hand, CUI is information that is possessed or created by the government or that an outside entity possesses or creates for the government. Government policies, laws, or regulations permit or require agencies to maintain this information properly.
For those more interested in specific categories and subcategories of CUI, such information is available directly from the National Archives and DoD via their websites.
When CMMC 1.0 was implemented, the DoD also announced that they would require assessments to ensure that contractors followed the guidelines. Version 2.0 simplifies this process and removes some requirements that would have added undue financial burden on small to medium-sized businesses.
There are three kinds of assessments:
At the Foundational Level, or Level 1, the DoD will not be sharing any CUI or other sensitive information that could be a national security risk with their contractors.
Businesses achieving this level will be able to perform a self-assessment of their cybersecurity abilities rather than subject themselves to a third-party assessment, which would be more rigorous.
Also, there will be programs in the Advanced Level, or Level 2, that will not require handling of CUI or other critical documents. For these businesses, a self-assessment will suffice.
Contractors must perform self-assessments annually. These assessments will also require a senior company official to affirm that the business submitting a self-assessment does meet the requirements.
As under CMMC 1.0, companies must submit both assessments and affirmations to the Supplier Performance Risk System (SRPS).
For contractors in Level 2 that handle CUI and other sensitive data, assessments will need to be performed by a third party. The CMMC Accreditation Body (CMMC-AB) will be responsible for accrediting organizations to complete assessments.
These organizations will be known as CMMC Third Party Assessment Organizations (C3PAOs) and fall under the CMMC Assessors and Instructors Certification Organization (CAICO). The CMMC-AB Marketplace will list accredited C3PAOs.
Companies in the DIB must seek out certification and schedule the necessary assessments themselves. The CMMC-AB ecosystem will handle any conflicts of interest. All C3PAOs will have to comply with ISO/IEC 17020, the CMMC-AB will comply with ISO/IEC 17011, and the CAICO will comply with ISO/IEC 17024 requirements.
While Level 1 businesses will only be required to submit an assessment once per year, these third-party assessments for higher Level 2 businesses will happen three times per year.
For Expert Level 3 contractors, government officials will handle the assessments. These assessment requirements aren't yet completed but will happen three times per year.
In a move to lessen the burden of implementing new and drastic cybersecurity policies, there will be some added flexibility to the new framework:
Plan of Actions and Milestones
One of the major shifts in the new CMMC 2.0 framework is the allowance for Plan of Actions and Milestones (POA&M).
Under 1.0, for a business to be awarded a contract, it had to be in complete compliance. Now, the DoD will outline requirements that must be in place to receive a contract and allow businesses to document how and when they will achieve the rest.
There will be a minimum score required for businesses to be allowed to use POA&Ms. Because some requirements are non-negotiable, companies won't be allowed to use POA&Ms for every requirement.
CMMC 2.0 will also allow for waivers. There may be mission-critical needs for a project to get fast-tracked, and senior leadership approval could approve waivers contingent on a DoD justification package.
This package would include a risk mitigation plan and timeline that would be determined on a case-by-case basis. These waivers would be applied to the entire CMMC requirement, not individual processes.
Not all partners and contractors will be US-based companies, but the DoD asserts that they will establish agreements regarding cybersecurity for foreign businesses. Regardless of foreign countries' rules or laws regarding cybersecurity, these businesses will have to adhere to the DoD's standards.
The CMMC vs. Other Standards
US companies currently doing business with other countries' governments may be acting under standards different from the DoD's CMMC. The DoD is currently working on meshing the CMMC standards with other standards to maintain these contracts.
Some Continued Concerns
While the changes coming are in response to contractor complaints and do address many concerns, a few questions still exist.
Subcontractor Assessment Results
One area that doesn't seem to have been addressed in CMMC 2.0 is the issue of contractor and subcontractor certifications. The problem is that contractors will need to farm work to subcontractors, and since both entities may have to handle sensitive data, they will both need to be CMMC compliant at the appropriate level.
However, the results of CMMC assessments stored in SPRS are not public information. If two companies want to do business with each other but can't share their respective compliance levels, how will they overcome this?
A possible answer is that the DoD will control the information and could be the go-between for a contractor and subcontractor.
All self-assessment results on SPRS and third-party assessments stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database will only be accessible to the companies that had the assessments performed.
The information exists, and the DoD controls the information, but there is currently no specified method for addressing this problem.
CMMC Certification Costs
The new rules state that assessment costs will vary depending on network complexity, CMMC level, market forces, and other factors. However, there is not yet an associated fixed cost for any assessments for Level 3 assessments that will be performed by the government. For third-party assessments, the cost will still be negotiated between the OSC and C3PAO.
Keep in mind that the CMMC 2.0 may still not be the final framework. As the DoD continues to refine the certification standard and processes, it may announce more changes.
As the rules currently stand with CMMC 2.0 being the most recent standard, you can expect a more streamlined process for achieving certification versus version 1.0.
Here are the answers to some common questions regarding CMMC 2.0:
The CMMC 1.0 originally stated 2026 as the year for full compliance; is that the case with 2.0?
The rulemaking process is not yet finished. Rulemaking can take anywhere from 9 months to 2 years. Once the DoD has finalized the new CMMC rules, CMMC 2.0 will be mandatory for all DoD contracts.
If a company became compliant under CMMC 1.0, are they subject to those rules, or will they need to become 2.0 compliant?
No contracts will be subject to CMMC requirements before the completion of 2.0's rulemaking process. DFARS established a phase-in timeline of five years, but this was only for select pilot contracts.
What are the implementation costs of 1.0 versus 2.0?
The DoD projects costs to be lower under 2.0 than 1.0. Because many more companies will be allowed to self-assess their cybersecurity readiness, there will be much less need for costly in-person assessments.
With that being said, the DoD will increase oversight regarding third-party assessments. It's simply that there will be fewer of them. The DoD plans to publish a cost analysis regarding each CMMC 2.0 level.
Were the changes necessary?
Yes. The DoD had over 850 comments from public entities regarding processes under the interim rule. Rather than steamrolling companies that will end up providing valuable products and services, the DoD preferred to listen to their comments and shift the structure where necessary.
Increasing trust between the various businesses in the DIB and with the DoD itself was one of their top goals.
Which level is required for my business?
In the solicitation for any contracts, the DoD will outline the required level. If the business submits a Request for Information (RFI), they can also find out that way.
Is the NIST part of the DoD?
No, but the NIST's requirements outlined in their Special Publication (SP) 800-171 will be the standard referenced for Advanced Level 2 compliance. SP 800-172 requirements will mirror the Expert Level 3 requirements; however, Level 3 is still under development.
Can companies at different levels do business with each other?
It depends on whether they are handling the same level of sensitive documents. Both businesses must be on the same level to maintain security.
However, there is an exception. If a prime contractor at Level 3 wants to use a subcontractor at Level 1, there can be no sharing of CUI. They can, otherwise, do business as long as no such documents are shared with the level 1 business.
What if my company wants to become a C3PAO? Can we?
You might be able to do so. There are stiff requirements, and the CMMC-AB website outlines all of the necessary steps for becoming a C3PAO candidate.
Is it possible to perform self-assessments at higher security Level 2 and Level 3?
No. The DoD will only allow for accredited C3PAOs and certified CMMC Assessors to perform third-party assessments at these levels.
Will CMMC certification allow my business to handle classified information?
No. CMMC only allows for handling of FCI or CUI.
Are self-assessments and basic assessments the same things?
No. A self-assessment uses the CMMC Assessment Guide codified in 32 CFR depending on the CMMC level. This self-assessment asserts that the company meets the appropriate CMMC level.
A basic assessment is a little more strict. It's defined by DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. The basic assessment requires that a contractor review their security plan that protects their information systems and results in a “Low” confidence level for the score because it's self-generated.
How will the DoD apply the CMMC to foreign companies?
Interestingly, the existing framework may inform the application of CMMC to these non-US entities. However, the exact implementation remains to be seen because the rulemaking process has yet to finish.
Are there any hints as to how the CMMC will integrate with other sets of standards?
Not yet. Currently, the DoD is working to ensure compatibility between CMMC Level 2 and the GSA Federal Risk and Authorization Management Program (FedRAMP), which outlines cloud service security requirements. Once the rulemaking process is complete, these issues will become more clear.
Will the False Claims Act still crack down on false claims?
There's no reason to assume it won't. The penalty for false claims made when submitting assessments regarding CMMC is double the government's damages and an additional $2,000 for each falsified claim.
Because the DoD is serious about increasing its cybersecurity efforts with its partners, they will most likely continue to use every force in their means to eliminate fraud in the DIB.
Becoming More Cyber Secure
Companies that wish to do business with the DoD need to put their cybersecurity efforts under the microscope right now. Just because the CMMC requirements aren't set to be enforced in full until 2026 (or later, depending on if CMMC 2.0 rulemaking pushes this back) doesn't mean the DoD will be lax regarding cybersecurity.
There are essential steps your business can take now to make CMMC compliance easier.
Many of the most successful hacking incidents have been a direct result of an employee offering information to someone they shouldn't. Business email compromise (BEC) and phishing attacks involve hackers pretending to be a trusted co-worker or business partner, asking for data such as usernames and passwords.
Ensure your employees are educated on how to spot possible scams.
Don't give employees more access than they need. This rule goes for physical systems, too. Lock doors and filing cabinets to prevent unauthorized access, and only provide appropriate staff with the keys.
Implement multi-factor authentication and don't allow staff members to share credentials. You may even put biometric security measures into place, such as fingerprint or retinal scanning.
Use Appropriate Surveillance
If a workstation is particularly vital, it may need a security camera pointed at it at all times. Being able to review recordings of key areas in your business may be the difference between an unsolved data theft and a quick capture.
Update, Update, Update
Obsolete software or software that's never been updated poses massive security risks. Hackers are excellent at exploiting weaknesses from security patches not getting installed or unsecured operating systems running vital computers. Update all software with current versions and put virus and malware protection systems in place.
Count the Cost
Even with the DoD's response to complaints, there is still a considerable expense for businesses achieving higher levels of cybersecurity in the CMMC 2.0. These expenses are not just monetary; they're also measured in manpower.
You and your IT staff will be working hard to ensure protocols are met to the satisfaction of the DoD. You will have to ask yourself, is this contract worth the cost?
For many businesses, the answer is yes. A lucrative, long-lasting government contract is a dream of many companies. These contracts can provide years of stable income.
Upgrading IT infrastructure, submitting reports, and experiencing assessor inspections are just part of doing business. If your company believes it has a reasonable chance of landing such a contract, then the CMMC process is worth it.
Even if your company doesn't land such a contract, certification still puts the organization on a better footing. Being able to advertise the strict standards you have regarding cybersecurity (even if you can't tell anyone what your assessment is) demonstrates that you can handle extremely sensitive information.
If you're interested in becoming CMMC certified, read through the information first and familiarize yourself with the requirements. They'll let you know what you're in for.