CMMC 2.0: DoD Scales Back Certification and Streamlines Cybersecurity Requirements for Defense Contractors
November 12, 2021 - WRITTEN BY: Miles & Stockbridge P.C.
On November 4, 2021, the U.S. Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) announced Version 2.0 of the highly publicized Cybersecurity Maturity Model Certification (CMMC). This updated version seeks to simplify the model and reduce compliance costs by streamlining the program and scaling back the requirement that all defense contractors obtain third-party certification of their cybersecurity capabilities. Under CMMC 2.0, contractors at the lower CMMC levels will be allowed to self-certify. Additionally, contractors that are not yet in full compliance with applicable cybersecurity requirements will be permitted to perform less sensitive contracts if they make a Plan of Action & Milestones (POA&M) and commit to completing the remaining requirements at later specified dates.
Background: The Delayed CMMC 1.0 Rollout and Industry Concerns about Compliance Costs and Emerging Accreditation Backlog
The CMMC program was launched in 2020 in response to concerns about widespread exfiltration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB). The original CMMC 1.0 program sought to build upon the DFARS Cyber Rule (252.204-7012) – which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours – by creating “a unified cybersecurity standard for DoD acquisitions” that applies across the DIB. Most significantly, whereas the DFARS Cyber Rule relied on contractor self-certification of compliance, CMMC 1.0 enforced contractor cybersecurity compliance by gradually requiring all DIB contractors to obtain an appropriate level of cybersecurity certification from CMMC Third-Party Assessment Organizations (C3PAOs) as a condition for receiving a DoD contract.
CMMC 1.0 established a scaled benchmark against which a contractor’s cybersecurity maturity could be measured and assessed. The benchmark was scaled across five levels, ranging from Level 1 (“Basic Cyber Hygiene” required to protect FCI) to Level 3 (the minimum level for contractors that access or generate CUI) to Level 5 (“Advanced Progressive”). The model framework specified numerous processes and practices mapped across 17 capability domains and scaled across the five levels. For instance, Level 1 included 17 practices (one for each domain) and 0 processes; Level 3 included 130 practices and 3 processes; and Level 5 included 171 practices and 5 processes. Notably, the requirements for CMMC Level 3 included practices that went beyond the 110 security controls specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is the standard set under the DFARS rule for accessing or generating CUI. Following the publication of several draft versions of CMMC, DOD formally published CMMC 1.0 as an interim rule to the DFARS on September 29, 2020 (DFARS Case 2019-D041). The Interim Rule sought to allay anxieties over compliance by phasing in the new requirement over a five-year period. In the meantime, contractors that handle CUI are required to conduct a triennial self-assessment and upload their scores into the Supplier Performance Risk System (SPRS).
The Interim Rule generated over 850 comments and criticism from industry regarding the complexity of the framework, the imposition of CMMC-unique requirements that did not align with the NIST standards, the cost of obtaining third-party certification, and concerns that an inadequate number of C3PAOs would create an accreditation backlog. Although the Interim Rule provided that the certification requirements would be rolled out over a five-year period, it became apparent that even this timeframe was unrealistic, given the sprawling size of the DIB – which according to DOD, includes over 300,000 companies, including an estimated 12,000-16,000 companies that handle CUI. Accordingly, in March 2021, DoD launched an internal review of CMMC, culminating in the development of CMMC 2.0.
CMMC 2.0 Streamlines the Model and Partially Reverts to Self-Certification
CMMC 2.0 streamlined the number of maturity levels from five to three, removed CMMC-unique practices, as well as all maturity processes from the CMMC model. Each of the three new maturity levels is aligned with existing standards:
CMMC 2.0 Level 1 is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
CMMC 2.0 Level 2 is aligned with NIST SP 800-171 (and also requires compliance with FAR 52.204-21)
CMMC 2.0 Level 3 is aligned with NIST SP 800-172 (and also requires compliance with FAR 52.204-21 and NIST SP 800-171)
These changes are reflected in the following diagram published by DoD:
Additionally, as illustrated in the diagram above, CMMC 2.0 scales back the requirement to obtain third-party certification and partially reverts back to reliance on contractor self-certification.
In the case of contracts requiring CMMC 2.0 Level 1 compliance, contractors will be permitted to submit annual self-assessments with an annual affirmation of compliance by company leadership.
Confusingly, DoD is bifurcating CMMC 2.0 Level 2, which is the minimum level for contracts that require the contractor to handle CUI. Contracts that involve “critical national security information” will require triennial third-party assessments and certification. Less sensitive programs will permit annual self-assessments. DoD has not yet indicated what proportion of Level 2 programs will require third-party assessments.
Finally, DoD explains that contractors will be permitted, “under certain limited circumstances,” to make Plans of Action & Milestones (POA&Ms) to achieve certification instead of requiring full compliance as a prerequisite to receiving a contract award. DoD has not yet explained under which circumstances this will be allowed.
According to DoD, CMMC 2.0 will be implemented through the rulemaking process in both Part 32 of the Code of Federal Regulations (CFR) and in the DFARS in CFR Part 48. All changes will be subject to public comment. Accordingly, it is unlikely that an Interim Rule will be published for at least another year. In the meantime, DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation. That said, DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.
In the short term, the issuance of CMMC 2.0 will ease contractor compliance concerns about third-party certification. That said, all DIB contractors will continue to be bound by FAR 52.204-21, and all DIB contractors that handle CUI will continue to be bound by the DFARS Cyber Rule as well as the self-assessment requirement introduced under the Interim CMMC Rule.
CMMC 2.0 marks a change of course for DoD – from prioritizing cybersecurity compliance to prioritizing efficiency and cost savings in DoD procurements. Given the new delays in implementing CMMC and the return to self-certification for most DIB contractors, it is unclear how DoD will be able to meet its objectives of reducing data exfiltration under CMMC 2.0. DoD’s approach to cybersecurity remains in flux, and it is possible that DoD may revert to a stricter approach if it experiences additional high-profile data breaches. Accordingly, contractors would be well advised to continue updating and improving their cybersecurity processes and systems.