On November 4, 2021, the Department of Defense (DoD) announced significant changes to the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program. Specifically, DoD stated that the goal of these changes is to simplify the CMMC standard and prioritize the protection of certain types of controlled defense information. After a nine-month internal review by the Pentagon, DoD introduced CMMC 2.0, which clarifies contracting requirements, places greater emphasis on contractors that hold sensitive information, and suggests that the agency seeks to reinforce cooperation between DoD and industry in addressing evolving cyber threats. The CMMC program changes condense the number of security tiers, allow contractors who do not hold Controlled Unclassified Information (CUI) to perform annual self-assessments, and permit remediation plans (known generally as Plans of Action and Milestones (or POA&Ms)) and waivers in limited circumstances. However, a number of mandatory controls may not be subject to a POA&M prior to award, notwithstanding that other controls may be remediated within a clearly identified timeline.
These strategic changes to the CMMC more closely align CMMC 2.0 with other federal cybersecurity frameworks like FISMA, as opposed to creating unique requirements. The CMMC 2.0 improvements eliminate compliance levels two and four and remove CMMC-unique practices and maturity processes from the CMMC program.
CMMC Program Framework.
On November 30, 2020, DoD directed U.S. defense contractors to comply with the original iteration of CMMC, pursuant to an interim DFARS rule, Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), which established DFARS 252.204-7021. DoD intended CMMC to enhance Defense Industrial Base (DIB) cybersecurity and protect CUI that DoD shares with contractors and subcontractors. Under the CMMC program, DIB contractors were required to implement specific cybersecurity protection practices and obtain CMMC certification in order to participate in DoD contracts, without the ability to remediate issues outside of an initial certification cure period. DoD established a five-year phase-in period for all DIB contractors and subcontractors to comply with CMMC. Given the heightened nature of these requirements, industry generally critiqued the contemplated CMMC process as being inflexible and including CMMC-unique controls that were based on standards besides those developed by the National Institute of Standards and Technology (NIST), such as the Center for Internet Security controls.
In March 2021, DoD began an internal review of CMMC implementation, which was informed by more than 850 public comments. This comprehensive assessment resulted in a revised version of the program, CMMC 2.0.
Changes to the CMMC Program.
DoD stated that it intends for the CMMC 2.0 framework to be a simplified, more targeted approach to safeguarding sensitive information. CMMC 2.0 consolidates the number of security tiers from five to three, removing security levels two and four and related maturity practices. Under the original CMMC model, the requirements in tiers one, three, and five were based on existing cybersecurity standards, namely guidance from the Federal Acquisition Regulation (FAR) and NIST. In contrast, the requirements for tiers two and four were formulated by the CMMC program and not based on preexisting federal guidance. Removal of the so-called CMMC-unique practices and processes would appear to bring CMMC into direct alignment with the NIST Special Publication 800-171 (NIST SP 800-171); however there has not been precise clarity on this point, which remains a key issue to watch.
CMMC 2.0’s “Foundational” Level 1 consists of companies that hold only Federal Contract Information (FCI), not CUI. CMMC 2.0 will require Level 1 contractors to adhere to 17 “basic cyber hygiene” security controls specified in NIST SP 800-171. Although these Level 1 practices remain the same as those required under the original CMMC, the updated program no longer requires contractors only holding Level 1 certification to obtain a CMMC assessment and certification. Instead, CMMC 2.0 indicates that an annual self-assessment of network practices in accordance with the basic NIST SP 800-171 requirements will be sufficient to ensure compliance. Contractors maintaining Level 1 certification will also calculate and upload into the Supplier Performance Risk System (SPRS) an assessment score. This primarily impacts organizations that only handle FCI, as it removes the assessment burden and cost for organizations that do not maintain CUI.
CMMC 2.0’s “Advanced” Level 2 certification will be required to adhere to the security controls aligned with NIST SP 800-171. For purposes of this assessment, Level 2 certification is bifurcated into two subgroups based on the level of criticality of the information possessed by the contractor. Contractors who hold CUI consisting of “Critical National Security Information” will be required to undergo third-party assessments three times per year. Select contractors who hold non-critical information will instead be allowed to demonstrate compliance through self-assessments. The guideposts by which DoD plans to measure criticality are currently unclear but will likely be the subject of rulemaking.
CMMC 2.0 “Expert” Level 3, which parallels the original CMMC’s Level 5, consists of contractors who hold CUI and are involved with the “highest priority, most critical defense programs.” Contractors holding Level 3 certification will be required to comply with more than 110 practices based on NIST SP 800-172, which DoD has stated that it is still finalizing. DoD will conduct its own assessments of Level 3 contractors three times each year.
The new changes also allow for limited POA&Ms, which were not part of the original CMMC program, but only for certain non-critical controls. The inclusion of POA&Ms in CMMC 2.0 allows contractors who are unable to meet every cybersecurity requirement during a given assessment the ability to continue working with DoD while implementing a remediation action plan to achieve certification in the near future (limited to only 180 days). Although this process is consistent with other high-level federal cybersecurity models and recognizes the risk mitigation function of cybersecurity, it may drastically enhance remediation timelines, given the necessary timing for technical work and data necessary to (re-)achieve compliance. DoD has indicated that the POA&M cannot include the highest-weighted requirements. Although DoD has yet to define this subset, it likely refers to several fundamental, high-level security requirements in the NIST SP 800-171 DoD Assessment Methodology. DoD will also establish a minimum score requirement to limit the extent of POA&Ms.
Further, CMMC 2.0 includes a waiver process to exclude contractors from meeting CMMC requirements for select mission-critical requirements and for a limited period of time, subject to senior leadership approval. These waivers will apply to all CMMC requirements (not individual controls) and will be approved by senior DOD leadership on a likely very limited case-by-case basis. The expectation is that these waivers will be used for time-critical acquisitions where CMMC requirements would reduce mission-critical capabilities. The rulemaking process will likely establish detailed guidelines related to waivers.
CMMC 2.0 Implementation Timeline.
To implement CMMC 2.0, DoD will issue a new final rule. DoD has indicated that during the rulemaking process, DoD solicitations that include CMMC requirements will not be approved, and that the original CMMC piloting efforts will be suspended, including the 15 CMMC pilot contracts that DoD had planned to implement this year. The Pentagon also plans to publish a cost analysis for compliance with each tier of CMMC 2.0.
DoD guidance indicates that CMMC 2.0 program requirements will be mandatory upon completion of rulemaking. This could also signify an accelerated timeline for compliance with CMMC program requirements. Under the previous CMMC model, DoD established a five-year implementation blueprint, with all defense contractors required to have completed certification by 2026. Depending on the duration of the rulemaking process, compliance with CMMC 2.0 may be required earlier than the timeline under the original CMMC implementation blueprint.
Implications for Defense Contractors.
CMMC 2.0 directly impacts how DIB contractors will be required to implement cybersecurity safeguards. The changes may ease compliance burdens for Level 1 contractors who only handle FCI and Level 2 contractors who handle non-critical CUI—both of whom can perform self-assessments to show compliance. The Pentagon previously estimated that a substantial majority of DIB companies would require only basic cyber hygiene. However, contractors who hold CUI and were previously required to meet Level 2 security practices may face more stringent requirements under CMMC 2.0’s Level 3.
In addition, DoD’s announcement of CMMC 2.0 follows the U.S. Justice Department’s recent establishment of a Civil Fraud Cyber Initiative, which DOJ specifically indicated was intended to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” All self-assessments with affirmation by company leadership by Level 1 and a subset of Level 2 contractors may result in greater exposure to liability under the False Claims Act (FCA), particularly given the DOJ enforcement initiative. To that end, DoD and DOJ appear to be sending a clear directive to contractors, suggesting that cybersecurity is a material requirement under DoD contracts that must be taken seriously.
Please contact the authors if you have any questions about cybersecurity policies or CMMC compliance and the potential impact on your business, or if you require assistance interpreting current governing rules and regulations.
McGuireWoods government contracts team helps clients prepare for CMMC compliance requirements, ensuring that they have taken the necessary steps to achieve CMMC certification. Defense contractors who (1) contract with defense agencies and (2) store FCI or CUI electronically should monitor CMMC updates closely. Please contact the authors if you have any questions about CMMC and its potential impact on your business, or require assistance interpreting the governing rules and regulations.