The Cybersecurity Maturity Model Certification (CMMC) program is being revised to streamline compliance for contractors in the Defense Industrial Base (DIB) looking to do business with the government. This is great news for small businesses, which might otherwise be forced out of the DIB due to the high costs of such a demanding program. On November 4th, the Department of Defense made the announcement – dubbing its revision CMMC 2.0 - after a months-long review process.
What Does This Mean for CMMC?
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” said Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The DoD’s press release states:
The enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, while:
Together, these enhancements:
What Will Change?
Initially, CMMC had 5 levels. CMMC 2.0 combines the original levels one and two into the new foundational level, the original level three into the new Advanced Level, and the original levels four and five into the new Expert Level. At the foundational level, organizations are now able to simply self-assess.
What Contractors Can Expect
For organizations already subject to DFARS clause 252.204-7012 and handling sensitive Controlled Unclassified Information (CUI), today's requirements remain that a self-assessment is performed on the 110 security controls of NIST SP 800-171. With the release of the DFARS Interim Rule, effective November 30, 2020, organizations must go a step further to ensure they have evaluated the controls according to the NIST DOD Assessment Methodology. This results in a score with a max of 110 points to be entered into SPRS (Supplier Performance Risk System).
Between now and the Final rulemaking stages, CMMC requirements will not be in DoD solicitations and pilot efforts are suspended. Additionally, during that timeframe, no CMMC assessments will be occurring as part of the CMMC Accreditation Board Ecosystem of C3PAOs. Contractors should be wary of any company claiming to provide official CMMC assessments until final changes are in place and should still vet the company against the CMMC Marketplace listings.
CMMC will still be rolled out following the final changes and companies should still prepare with internal or externally led gap assessments against the CMMC 2.0 practices. The good news is, for a contractor processing CUI, there are no additional controls to now meet for a CMMC 2.0 Level 2 Certification. It is the same controls they have been self-assessing and will not need to write an expanded Systems Security Plan in order to meet CMMC compliance. It also means that an organization seeking certification can have an open Plan of Action & Milestones to address some requirements, as long as they maintain a DoD minimum score instead of the strict no POA&M approach in CMMC vs 1.0.
Contractors that handle highly sensitive data will want to start looking at preparing for CMMC Level 3 (EXPERT), utilizing both NIST SP 800-171 & NIST 800-172. Those contractors will need to ensure they are familiar with NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information (A Supplement to NIST Special Publication 800-171) as it is geared towards protection against Advanced Persistent Threats.
For more information please see OUSD A&S - Cybersecurity Maturity Model Certification (CMMC) (osd.mil). The new assessment guides for CMMC 2.0 will be posted there in the upcoming weeks.
to learn more about CMMC and TechGuard's CMMC services, visit our page.