Cybersecurity Maturity Model Certification 2.0 Announcement
Key Details: The Department of Defense (DoD) released new cybersecurity guidance on Thursday, November 4, 2021. This release, titled “Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program,” comes from the completion of an internal program assessment across the DoD.
Purpose of CMMC 2.0
The goal of this internal self-assessment was to streamline the safeguarding of the Defense supply chain and to lower compliance costs for Defense Industrial Base contractors. CMMC 2.0 arose from this internal self-assessment and maintains the original goal of protecting sensitive information. CMMC 2.0 also aims to enhance the program through:
- Simplifying standards (lowering the original 5 levels of compliance to 3 and allowing self-assessments at the lowest requirement level).
- Clarifying cybersecurity regulations, policies, and contractor requirements.
- Focusing more advanced cybersecurity and assessment standards on contractors that support high priority programs.
- Increasing DoD oversight of professional and ethical standards during assessments.
The DoD hopes that these enhancements will increase contractor accountability in implementing cybersecurity standards while also minimizing compliance barriers and costs. The CMMC 2.0 Model is summarized through the table below:
CMMC 2.0 Levels
- Applies to defense industrial base contractors who handle Federal Contract Information (FCI).
- Includes a subset of NIST 800-171 cyber hygiene practices.
- Applies to contractors who handle Controlled Unclassified Information (CUI) that is identified as Critical National Security Information. This requires third-party assessments.
- Includes 110 controls of NIST 800-171.
- This level is still under development; however, the DoD lists 110+ practices based on NIST 800-172.
- Applies to sensitive and high-risk DoD contracts.
Ryan & Wetmore recently covered NIST 800-171 and other cybersecurity requirements in a prior article.
Potential Changes Implemented Under CMMC 2.0
Through CMMC 2.0, the DoD hopes to implement the following key changes to refine and build on current (CMMC 1.0) program requirements and regulations:
- Streamlining the model from 5 levels of compliance to 3 to focus on the most critical requirements.
- Use National Institute of Standards and Technology (NIST) cybersecurity standards.
- Reducing assessment costs through self-assessments.
- Increase accountability and professional and ethical oversight.
- Improve collaboration by allowing certain companies to make Plans of Action & Milestones to achieve certification (under limited circumstances).
- Improve flexibility and speed of certification by allowing certain CMMC waivers (under limited circumstances).
Timeline and Rulemaking for CMMC 2.0
CMMC 2.0 changes will be implemented through a rulemaking process. The DoD intends on pursuing rulemaking in both Part 32 of the Code of Federal Regulations and in the Defense Federal Acquisition Regulation Supplement in Part 48.
Defense contractors will be required to comply with the new model once the rules go into effect. The DoD anticipates the rulemaking process and timeline to take 9 – 24 months. During this period contractors are encouraged to thoroughly monitor the DoD for any further updates and clarifications regarding the level and timing of compliance.
Other Potential Changes & Additional Information
- Upon implementation of CMMC 2.0, the DoD will specify the required CMMC level in the solicitation.
- Prime contractors and subcontractors that handle the same type of information will require the same CMMC level.
- Third party assessments will be conducted by authorized and accredited C3PAO’s or certified CMMC Assessors.
- The DoD will store all self-assessment results on SPRS once CMMC 2.0 is fully implemented.
- The DoD will develop a new cost estimate for CMMC assessments and will publish it on the Federal Register during the rulemaking process.
What Should Contractors Do Now?
Contractors are encouraged to review and monitor the Acquisition & Sustainment – About CMMC page for the official summary of changes and other related resources released by the DoD for further clarifications and updates regarding compliance and timelines.
It is important to note that certain levels are still under development, so contractors should continue to monitor the DoD website and related CMMC resources for updates, clarifications, and official rule releases.
As cybersecurity requirements increase in complexity, it is essential for contractors to fully understand the various regulations on their current and future contracts. Conducting regular self-assessments and keeping up to date with further announcements will help contractors prepare for and meet the requirements of CMMC 2.0.
Today’s Thought Leaders
Contact us today by calling 301-585-0506.
About Peter Ryan
Partner, Co-founder, & CPA
Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries, including government contracting. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.
Read Pete’s full bio.
About Rosie Cheng
Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.