On November 4, 2021, the Department of Defense (DoD) introduced the new, revised version of the Cybersecurity Maturity Model Certification (CMMC) for their 300,000+ supply chain contractor organizations. This new version development effort, which started in March 2021, was the culmination of DoD’s program review of the CMMC endeavor enacted by the new US Administration after the November 2020 election. There was a series of comment submittals, advisory papers, suggestions, and general advice delivered to DoD on CMMC over the previous year by a wide range of organizations, corporations, panels, and groups; all suggesting different changes needed for CMMC. These suggestions ranged from stopping this effort altogether as a “waste of money”, to minor alterations of the program. DoD has a long history of enacting program reviews over the past 30 years, surrounding large military weapons and administrative programs. Therefore, to me, the change action was not a new or unusual activity.
CMMC 2.0 introduced several major adjustments to the original CMMC Model. These changes included:
- Changing the Level from 5 down to 3, with Level 1 unchanged, the new Level 2 being equivalent to the old Level 3 and the new Level 3 being equivalent to the old Level 5
- Removing the ban on POAM’s (Plans of Action and Milestones) for Level 1 and some of Level 2 requirements
- Changing Level 1 to a self-attestation effort on the part of the contractor organizations from the original requirement of needing to be a third-party assessed by designated assessment organizations.
- Adjusting the less critical controls in Level 2 to also being self-attested by the contractor organizations
DoD reverted back to the US Government’s standard for managing Controlled Unclassified Information (CUI), the NIST Special Publication 800-171, as the sole authoritative source for defining what security controls are needed to manage the contractor’s efforts and systems.
DoD removed the extra areas they had added to CMMC 1.0, concerning availability and asset management with the new CMMC 2.0. Listed below are these changes and what they mean to the DoD Industrial Base (DIB) contractors.
- The first change reduces the areas of focus to more manageable 3 levels. Level 1 is based on organizations self-reviews and self-assessments. DoD has already produced the Level 1 self-assessment guide for organizations to use in reviewing the 17 controls needed for Level 1 attainment.
Level 2 is the full 110 controls implemented from SP 800-171 into the contractor environment for processing, storage, and transmission of CUI within their environment. This covers 14 areas of concern, such as; Access Control, Incident Response, Information Integrity and Media Protection among others, and is split into 2 approaches for review. The initial approach is for non-critical areas and allows the organization to self-attest to compliance. The second approach is for more critical systems and data which requires the C3PAO (Certified Third-Party Assessment Organization) assessors to conduct the organization’s independent assessment. Determining the approach that will be used is based upon the CUI’s involved and the critical nature of the contract to be supported and will be made, at least initially, by the DOD Contracting Officer, not the Organization Seeking Certification (OSC).
Level 3 is for contractor organizations and systems with the most important and critical data to be handled by the organization. This level will focus on the advanced need for security and will be reviewed and assessed by a governmental agency only.
- The second change is related to Plans of Action and Milestones, otherwise known as POAMs. POAMs are items that are not currently at their needed level of application but necessary to protect the CUI data and security components that enable or deliver the protection. The original CMMC Model did not allow POAMs to be active at the time of assessment; they were to be completed and installed. However, the change to CMMC 2.0 has now provided the organization to have POAMs on items deemed to be non-critical. This is currently to be determined by the assessor and the DoD, not the organization under review. This allows for organizations to budget and plan for future installations of security capabilities and equipment, rather than having to “spend the money” upfront to prepare for their CMMC Level assessment.
- The third change is that Level 1 reviews are now based on corporate self-reviews and selfassessments. DoD has already produced the Level 1 self-assessment guide for organizations to use in reviewing the 17 controls needed for Level 1 attainment. These controls, such as requiring user IDs and passwords for each account, are basics for security in all organizations and are easy to reach compliance with organizations. The caveat with this change is the official self-attestation of compliance, Level 1 will be required to be submitted and signed by a corporate officer of the organization. Therefore, enforcement, which is available under the US False Claims Act legal criteria, will be implemented. In fact, the US Dept. of Justice has already created a special Task Force, including members from DoD and DHS as well as other federal agencies, to focus on False Claims Act violations of federal contractors.
- The fourth change is the bifurcation of Level 2 assessment efforts. The non-critical Level 2 controls and practices will be allowed to be self-assessed by the organizations, under MMC 2.0. The selection of which ones are non-critical is up to DoD, not the organization itself. The rest of the practices and controls will require a C3PAO-based assessment to be performed by a Certified Assessor and Assessment Team with an independent report produced which defines which requirements are met and which areas are not, in accordance with CMMC Level 2 Assessment Guide and NIST SP 800-171A guidance. It is currently estimated that the number of organizations that will require C3PAO assessments has been reduced by this one change from 300,000+ down to 70,000-100,000. But this will require all organizations desiring to attain Level 3 certification to accomplish this Level 2 C3PAO assessment first before the DoD assessment team conducts their Level 3 assessment; which is the projected way this is to be completed as of now.
What do the above-mentioned CMMC changes mean to the average DoD contractor?
First, more time is now available for organizations to get ready for their assessment so they can win DoDbased contracts in the future. We will see as information is released by DoD on the actual timelines needed to complete these efforts. Second, the full DIB contractor base, worldwide, is still affected by this change, so that area has not changed. It has been estimated that 10-15% of the DIB is based outside the US.
Third, smaller contractor companies and organizations will have an easier path to Level 1 achievement, thereby resulting in less expense and manpower needed to accomplish this level of corporate certification.
Fourth, CMMC is still moving forward with DoD’s desire to manage its supply chain risks, which is what CMMC is about to start with.