In November 2021, the Department of Defense (DoD) introduced a major update to the Cybersecurity Maturity Model Certification (CMMC): CMMC 2.0. According to the original announcement, this update included significant changes from the previous version of CMMC (1.02), including reduced dependence on third-party assessment, and the elimination of security controls unique to CMMC.
In December 2021, the DoD went on to issue self-assessment guidelines for Levels 1 and 2 of the revised program. While not comprehensive – and while the rulemaking process for CMMC 2.0 may be extended through the Fall of 2023 – the new guidelines have gone a long way to clarify the requirements of CMMC 2.0, and how they will impact the Defense Industrial Base (DIB).
In this article, we’ll explain the requirements of CMMC 2.0 and how they will change cybersecurity practices across cleared facilities.
Overview of CMMC
In recent years, government agencies have been facing increased cybersecurity risk from many different sources. First announced in 2019, CMMC represents the DoD’s latest effort to combat these risks among defense partners through improved cybersecurity regulations and better accountability.
When it first passed into federal law in December 2020, CMMC was divided into 5 levels of security with different standards of protection. Significantly, it required organizations to undergo periodic examination by a Certification Third-Party Assessment Organization (C3PAO) to stay certified and retain eligibility for defense contracts.
Over the course of 2021, the cybersecurity landscape became even more volatile, with increased ransomware attacks on federal organizations, software supply chain breaches, and more. It’s clear that we need CMMC more than ever before – but its arrival was not without controversy.
Concerns About CMMC
While CMMC aimed to provide more robust security standards for the entire defense contracting community, the industry is large: large enough that creating a one-size-fits-all standard has been challenging. According to Deputy Assistant Secretary of Defense (DASD) for Industrial Policy Jesse Salazar, the DoD has struggled to push “the practices they need to thwart cyber threats” while “minimizing barriers for compliance.”
Consequently, legislators have worried that the requirements of CMMC would be too burdensome for small government contractors ever since the framework was introduced. At the same time, the CMMC Accreditation Body – responsible for licensing C3PAOs – fell under scrutiny early in 2021, after the IT Acquisition Advisory Council found that it was guilty of running a “pay-to-play scheme”.
For these reasons and others, CMMC has been due for some revisions. Fortunately – with CMMC 2.0 – the DoD has delivered them while paving the way for a more streamlined and better-optimized cybersecurity framework.
What’s New in CMMC 2.0?
Despite two years of work, CMMC was still in its early stages, and full details of the CMMC 2.0 framework weren’t known. Nevertheless, the DoD provided plenty of information through its early announcements and subsequent updates. The most significant changes from CMMC 1.02 include:
- New Level System
Levels 2 and 4 of the original CMMC framework were scrapped, leaving three levels in total. The new levels roughly correspond to the original levels 1, 3 and 5 successively. At Level 1 – “Foundational” – contractors will be required to follow 15 basic security controls based on Federal Acquisition Regulation (FAR) rules 52.204-21.
Level 2 – “Advanced” – encompasses all 110 controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. In addition to these controls, businesses certified at Level 3 – “Expert” – will have to follow a subset of practices from NIST SP 800-172.
- Expanded Reliance on Self-Assessment
Under the original CMMC framework, all businesses were required to receive certification through a C3PAO. CMMC 2.0 reduces this requirement significantly, allowing all businesses under Level 1 to submit self-assessments instead. Businesses at Level 2 that do not store or process “critical” controlled unclassified information (CUI) will also be exempt from third-party assessment.
At Level 3, businesses must be assessed directly by the government on a triennial basis. In total, this leaves about 40,000 companies who will have to be certified by a third party once every three years – a small fraction of the 220,000 companies in the defense industrial base. Meanwhile, businesses at Level 3 will be required to receive a triennial government assessment
- Reduction of Security Controls
Although the original CMMC was heavily inspired by NIST regulations, it also included additional security controls unique to CMMC at Level 3 and above. In CMMC 2.0, these controls were eliminated, leaving the framework directly tied to existing NIST and FAR documents.
In addition to simplifying compliance requirements for small government contractors, tying CMMC directly to NIST gave DoD officials the opportunity to keep CMMC updated through updates to NIST documentation. This ensured the longevity of the program as the cybersecurity landscape changed.
- Increased Opportunities for Lenience
Under CMMC 2.0, the DoD will offer some organizations the opportunity to win contracts without full CMMC implementation by first submitting a Plan of Action and Milestones (POA&M), provided they follow a hard deadline for full compliance. A limited waiver process is also planned, which will allow organizations to forego some CMMC requirements under special circumstances, although many details of this process have yet to be clarified.
- Decreased Assessment Scope
With the release of self-assessment guidelines for Levels 1 and 2 of CMMC 2.0, the DoD has introduced the concept of “enclaves” for information technology (IT) systems processing CUI and other sensitive categories of information. Moving forward, IT systems which lie outside of these enclaves can be exempted from third-party assessment as long as they are physically and logically separated.
Depending on the size of an organization’s IT infrastructure, this change radically decreased the scope of third-party assessments necessary for CMMC certification. However, organizations are still required to account for “out-of-scope” assets in a system security plan (SSP).
Impact on FSOs
In our last blog post on CMMC, we wrote:
Since CMMC incorporates requirements from NIST 800-171, it directly impacts FSOs who will play a key role in implementation processes. At levels 1 and 2, the Physical Protection portion of CMMC overlaps closely with previous regulations, including authorization of personnel, visitor check-in, protection of physical access devices (keys, locks, card readers) and more.
Because CMMC 2.0 is now directly tied to NIST 800-171, the Physical protection requirements are largely unchanged, although they now kick in at Level 2 rather than Level 3. But since the rulemaking process may continue through 2023, FSOs should stay updated on CMM to understand how it will impact their organization and responsibilities in the future.
The Only Tool You Need
As of December 2021, all pilot contracts featuring CMMC as a requirement were suspended and would not resume for another nine months. This left organizations with time to prepare and invest in the tools they needed to stay compliant.
Today, FSOs are on the front line of America’s fight for national security. In the growing tide of insider threats, malware attacks, and cybersecurity incidents, FSOs protect our nation’s most sensitive facilities from foreign actors, organized espionage, and more. To do that, they must stay on top of emerging legislation including NISPOM and CMMC.
Fast track your CMMC compliance efforts with MathCraft’s Enterprise Security Suite, the industry’s most fully-featured software solution for security compliance in cleared organizations. With modules for visitor check-in, physical access, and more, it is always updated for compliance with the latest federal security legislation.