Last week, the Department of Defense (DoD) shook the Defense Industrial Base (DIB), the ecosystem of CMMC consultants, trainers, and assessors, and the wider cybersecurity industry when it announced its “way forward” with CMMC, to be called CMMC 2.0.
There is no doubt the changes to CMMC are extensive and immediately impact the expectations for contractors and their cybersecurity programs. The broad sweeping changes have also created significant confusion for the DIB, raising many questions.
Both DoD and the CMMC Accreditation Body remain focused on the protection of Controlled Unclassified Information (CUI). Contractors should not consider this the end of CMMC, but rather a streamlining of the program rollout with reduced impact on their contract performance. DoD has stated that contractors will continue to be expected to build their cybersecurity programs to protect sensitive information and be able to demonstrate these protections to DoD and third-party assessors when CMMC 2.0 is eventually incorporated into contracts.
DHG’s CMMC Advisory team has prepared three observations, three areas of concern, and three action items for contractors as they assess their position relative to CMMC 2.0.
| 1 || The CMMC Framework is Simpler: The reduction of CMMC levels from 5 to 3 eliminates two levels (2 and 4) that were not associated with certification. It should also be noted that the Levels no longer tie to “Maturity” processes, but rather only to the security practices required to achieve compliance. Rather than the CMMC 1.0 framework, version 2.0 relies upon the previously required control sets, NIST 800-171 and 800-172. |
| 2 || The CMMC Accreditation Body (AB) Will Continue: Initial communications suggest that the CMMC-AB will still be responsible for accrediting the CMMC 3rd Party Assessor Organizations (C3PAOs) that will conduct the independent assessments required of some Level 2 contractors. DoD’s CMMC 2.0 website references the AB and the AB has expressed support of the new framework, while simultaneously acknowledging that it will have to overhaul its training and accreditation processes. |
| 3 || DoD Will Have Additional Oversight in CMMC Assessments: The majority of contractors will likely be able to self-assess, but it appears that DoD – most likely through its Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) – may be expanding its discretionary assessments of contractors, focusing explicitly on the most sensitive DoD contracts assigned at the new Level 3. |
3 Areas of Concern
| 1 || The Rollout of CMMC is Delayed Again: While the slower rollout of CMMC certification will mitigate the risk of assessor bottleneck, it may also discourage contractors from addressing the intention of CMMC: effective protection of CUI. There was already significant fatigue from the stop-start of the CMMC rollout, and now the DIB will have to wait longer to see exactly what the implementation of CMMC into contracts will look like. |
| 2 || Lack of Clarity Around Self-Assessment vs. Third Party Assessment Requirements: DoD’s guidance on the CMMC 2.0 “bifurcates” new Level 2 requirements: some contractors at the level will be permitted to report on self-assessment, while others will be required to engage an independent third party to achieve certification. Exact requirements are to be integrated into contract language, but we do not yet know what distinguishes the two approaches. |
| 3 || Maturity Requirements are Gone and POAMs are Back: In perhaps the most significant revelation of CMMC 2.0, contractors will no longer be required to demonstrate maturity of security practices, as “process requirements” of the CMMC framework don’t exist in NIST 800-171 or 800-172. Further, in certain instances, DoD has indicated that POAMs with clearly defined deadlines may be permitted while still allowing contractors to achieve certification. If POAM remediation is not enforced, we may see contractors kick the can down the road, potentially leaving vulnerabilities in their CUI environments. |
3 Action Items
| 1 || Continue to Build Your Cybersecurity Program Aligned with NIST 800-171: Gone is version 1.1 of the CMMC Framework and its appendices, leaving the previous NIST 800-171 as the minimum set of practices for security CUI. NIST 800-171 will be the standard for both self-assessments and independent assessments, with the more advanced NIST 800-172 being used with more critical and sensitive DoD projects. |
| 2 || Review DoD’s Resources for Contractors for Enhancing Cybersecurity Programs: Dubbed Project Spectrum, DoD provides contractors a collection of tools and guidance to small and medium-sized contractors to assist with understanding cyber risk and taking action. The Project Spectrum site offers training videos, webinar events, and basic readiness checks to help educate the DIB and prioritize cyber efforts. |
| 3 || If you Handle CUI, Consider Moving Forward with CMMC Certification Now: DoD notes on its CMMC page that it is considering incentives for contractors who voluntarily achieve certification, regardless of contract requirements. While it is unclear what those incentives might be, if your organization has been pursuing CMMC certification, there might be benefits to completing a certification assessment. |
How DHG Can Help
Look to the team of IT professionals at DHG to tailor our industry insight to the specific cybersecurity needs of your organization. DHG offers a comprehensive suite of cyber and data privacy and compliance services, as well as a complete understanding of the evolving compliance requirements. To learn more about our technology services, please reach out to us at firstname.lastname@example.org