CMMC Gets Revamped. Welcome CMMC 2.0!

Yesterday, 11/4/21, the Department of Defense announced significant changes to the CMMC program. The objective of the CMMC program is to ensure businesses who provide services to the DoD (i.e. the Defense Industrial Base) have the necessary security controls in place to protect DoD assets. Think of this as the DoD’s third party risk management program.

The program was created with a tiered model, allowing for different control requirements depending on the type and sensitivity of information that an organization handles. Organizations that handle more sensitive information must meet more advanced control requirements. The lowest tier was intended for organizations that handle only Federal Contract Information (FCI). The tiers then become progressively more advanced for organizations that handle Controlled Unclassified Information (CUI) and critical programs.

Another key component to the program is the validation requirement. Organizations must demonstrate compliance with their cybersecurity requirements through an assessment. Even at the lowest tier, the original version of the CMMC program required validation by a third party assessor.

The initial five year phase-in of the program began in November 2020. The DoD received substantial feedback that the program was overly complex and cost prohibitive for small and medium contractors. In early 2021, the DoD initiated and comprehensive review of the program, and announced the revised “CMMC 2.0” yesterday.

The revised program includes several key changes intended to streamline the model, ease the validation cost burden, and provide more flexible implementation options.

Streamline Model:

• The DoD has streamlined the program to reduce the number of tiers from five down to three: Foundational (Basic level for FCI), Advanced (CUI), Expert (CUI and Critical Programs).

• The control requirements (or practices) within the program are now better aligned with current NIST standards. The requirements for the Advanced tier are now aligned with NIST SP 800-171 for the protection of CUI, and the Expert tier is now also aligned with the Enhanced Security Controls of NIST SP 800-172.
  

Ease Validation Cost Burden

• Rather than bearing the cost to hire a third party assessor, organizations at Level 1 (Foundational) can demonstrate compliance through a self-assessment. A subset of companies at Level 2 (Advanced) can also use an annual self-assessment, while others within Level 2 who handle critical national security information will still be required to have a third party assessment (every 3 years).

Flexible Implementation Options:

• Under certain circumstances, some companies may achieve certification through the documentation of Plans of Action & Milestones (POA&Ms). This option allows organizations, who may not be able to meet all requirements immediately, to document compensating controls, and define a plan to meet permanent compliance with all requirements.

• To extend this flexibility even further, the DoD has also allowed waivers to CMMC requirements under certain limited circumstances.

There are still more details to be learned, but we view these program changes as a positive move because they make the attainment of the programs goals more practical. The reduced complexity at the lower tier, the potential for reduced cost burdens, and the better alignment with existing standards are all welcome news. A word of caution though. Compliance ≠ Security. Members of the Defense Industrial Base should not view these changes as an easing of the cybersecurity requirements they should have in place. Contractors to the US government are among the most highly targeted by threat actors. These changes may ease the burden around compliance aspect of doing business with the government, but the security requirements are more important than ever.