On November 4, 2021, the Department of Defense (DoD) issued an Advanced Notice of Proposed Rulemaking by releasing the latest and highly anticipated iteration of the CMMC program — CMMC 2.0.  According to the DoD, the streamlined version of CMMC 2.0:

  • Cuts red tape for small and medium-sized businesses
  • Sets priorities for protecting DoD information
  • Reinforces cooperation between the DoD and industry in addressing evolving cyber threats

The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) was originally introduced in 2020 (CMMC 1.0) and was intended to address widespread concerns about the loss of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the Defense Industrial Base (DIB).  Although never fully implemented, CMMC 1.0 built upon DFARS clause 252.204-7012, which required federal contractors to maintain adequate security on all covered contractor information systems and to report all cybersecurity incidents to the government within 72 hours.  CMMC 1.0 went a step further by setting up a tiered system of requirements across five levels ranging from Level 1, (representing basic cyber hygiene) to Level 5 (representing advanced progressive cyber hygiene).  Unlike the DFARS clause which permitted federal contractors to “self-certify” their compliance utilizing a Plan of Action and Milestones (POA&M), CMMC 1.0 required government contractors to be certified by CMMC Third Party Assessment Organizations (C3PAOs) for compliance with the appropriate maturity level.

STREAMLINED REQUIREMENTS — REDUCED NUMBER OF MATURITY LEVELS

While CMMC 1.0 was based on 5 cybersecurity model maturity levels, CMMC 2.0 has reduced those levels to three:

  • Level 1 — Foundational
  • Level 2 — Advanced
  • Level 3 — Expert

As with CMMC 1.0, the three levels are based on specified practices with increasing sophistication, each level including the practices from the previous level:

  • Level 1 — 17 practices (aligned with FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems)
  • Level 2 — 110 practices (aligned with NIST SP 800-171 + Level 1 requirements)
  • Level 3 — 110+ practices (aligned with NIST SP 800-172 + Level 2 requirements)

TIERED ASSESSMENTS

While CMMC 1.0 required third-party assessments for all levels, CMMC 2.0 has reduced the requirement for third-party assessments, leveraging self-assessments in certain circumstances:

  • Level 1 — Annual self-assessments will be permitted with company self-certification of compliance.
  • Level 2 — Two-tiered: Triennial third-party assessments for “critical national security information” and annual self-assessments (as in Level 1) for other programs. The third-party assessments at this level will be conducted by the C3PAOs under the original CMMC 1.0 model.
  • Level 3 — A government-level assessment will be required, likely by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Additionally, under certain circumstances, which have yet to be defined, the DoD intends to allow contractors to continue to utilize POA&Ms to achieve certification compliance as a prerequisite to receiving a contract award provided they contain specific deadlines for completion of remaining items. The DoD has also included flexibility in requirements, intending to implement a process to waive CMMC requirements under certain limited circumstances.  The specifics of those requirements will be implemented as part of the rulemaking process.

NEXT STEPS

CMMC 2.0 will not become effective until the federal rulemaking process is complete, which could take a year or more.  The intent is for CMMC 2.0 to be effective as soon as that process is complete.  As part of the rulemaking process, the government will provide a public comment period, so additional changes could be made as part of that process.  In the meantime, DoD intends to suspend the current CMMC Piloting efforts and will not approve the inclusion of CMMC requirements in any DoD solicitation.

Despite this, contractors should continue to enhance their cybersecurity posture while rulemaking is underway and be prepared to comply with CMMC 2.0 once rulemaking is complete. The DoD has indicated that it is exploring opportunities to provide incentives to contractors who voluntarily obtain a CMMC certification in the interim.