Is CMMC 2.0 "On Hold"?
When the Pentagon released its Cybersecurity Maturity Model Certification 2.0 guidelines in November, industry breathed a sigh of relief after learning they had more time to become compliant with the new rules and regulations.
The updated version of the cybersecurity framework — which was revamped to be more streamlined and less expensive for companies — will not be a contractual requirement until the Pentagon completes a rulemaking process in the Code of Federal Regulations and Defense Federal Acquisition Regulation Supplement, which can take up to two years.
The release of the new version followed a months-long internal review of the program. The Pentagon said it received feedback from industry, Congress and other stakeholders including 850 public comments in response to the interim rule establishing the original CMMC. The comments focused on reducing costs, increasing trust in the CMMC assessment ecosystem, and clarifying and aligning cybersecurity rules to other federal requirements and commonly accepted standards, according to the Defense Department.
While the Pentagon has given companies more wiggle room in implementing the cybersecurity framework, experts are advising companies not to hold off on their CMMC accreditation once audits kick off, potentially, in the new year.
“Don’t wait for this to be a requirement in your contract,” said Matthew Travis, the CMMC Accreditation Body’s CEO. “Go ahead, engage in CMMC and get certified.”
There are several benefits to being an early worm, he told National Defense. For example, the Defense Department is exploring opportunities to provide incentives to companies that voluntarily obtain CMMC certification before it is required.
“You can think of a lot of different financial incentives as well as qualitative incentives,” he said. “I would like to see the meat on the bone and get those in place.”
Additionally, certification signals to customers that a firm is invested in its cybersecurity apparatus, particularly in the wake of major breaches such as SolarWinds and Colonial Pipeline, he noted.
When “you get that badge saying you are CMMC certified, you are conveying to your customers, your competitors, the government [and] your employees that you take cybersecurity seriously,” he said. “CMMC certification will eventually be the coin of the realm in federal acquisition cybersecurity, and you’ll stand out if you don’t have it.”
Travis encouraged companies to not wait on the sidelines. “Get in and get started,” he said.
Previously under CMMC, companies were grouped into five different security tiers, with Level 5 being the most secure and Level 1 the least. Firms within the defense industrial base were expected to be audited by third-party assessor organizations known as C3PAOs to ensure they were following CMMC requirements.
Under the new rules, the security tiers have been consolidated into three levels. Level 1 is considered “foundational” and will include 17 cybersecurity practices and feature an annual self-assessment.
Level 2 is considered “advanced” and will include 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171 guidelines.
Companies in this tier will be required to have triennial third-party assessments for critical national security information and annual self-assessments for select programs, according to the Defense Department.
Level 3 is the most secure and is considered the “expert” tier. It features more than 110 practices based on NIST SP 800-172 and will require a triennial government-led assessment.
Initially among C3PAOs and assessors, there was some concern that demand for their services would be lessened by CMMC 2.0 due to Level 1 companies being able to conduct self-assessments, Travis said.
“That right there is taking some of the market out of play,” he said. However, “we’re encouraged by our initial discussions with the DoD that we would still be allowed to have those C3PAOs offer Level 1 certification in lieu of self-attestation on a voluntary basis.”
There are more than 450 companies that have expressed interest in becoming a C3PAO, he noted. However, as of press time there were only five companies — soon to be a sixth — that have been approved by the Defense Industrial Base Cybersecurity Assessment Center to facilitate audits. There is still some paperwork that must be conducted before those assessments can take place, and Travis hopes they will begin in early 2022.
For now, “they are authorized to begin engaging with DIB companies and even putting contracts in place,” he said.
Robert Teague, manager of CMMC services at Redspin, one of only five certified C3PAOs, said demand has remained high for audits. He encouraged industry to begin setting up assessments as soon as possible.
“Get your assessment on schedule now, because it’s going to start getting booked up,” he said during a webinar hosted by PreVeil in November. “The longer you wait, the more jeopardy you place yourself in on bidding on contracts with CMMC language.”
The rulemaking process may not take a full two years and companies must be prepared, Teague said.
Companies that previously agreed to work with Redspin for assessments are keeping their appointments, he noted.
“Most of the organizations that have signed on with Redspin are moving forward,” Teague said. “They do not want to take the chance of … the DoD finishing the DFARS regulations ahead of schedule and then they start putting the language in the contracts and then they’ll be behind the power curve in bidding on those contracts.”
Many organizations that deal largely or solely with Pentagon contracts are not waiting, he said. “They’re not hesitating at all because that’s their livelihood.
National Defense -NIDA's Business and Technology Magazinne
By Yasmin Tadjdeh