The Evolution of CMMC 2.0

The Department of Defense (DOD) announced an enhanced “CMMC 2.0” program on November 4, 2021, which will maintain the program’s original goal of strengthening cybersecurity and protecting sensitive data across the Defense Industrial Base (DIB). So, what is changing from CMMC 1.0 to 2.0 in 2022?

Maturity levels have dropped in number from five to three. Specifically, Maturity levels two and four have been eliminated. All CMMC-unique practices and all maturity processes from the CMMC 1.0 (i.e. legacy) Model have been removed.

Self-assessments are back in play for ML-1, affecting many small business members of the DIB. This change reverts the requirement for firms seeking solely ML-1 certification to continue with the previously existing annual self-assessment, including affirmation by ownership/leadership of strict compliance with the NIST 800-171 standard. It pertains to firms anticipating Federal Contract Info (FCI) storage and/or use only (i.e. no Controlled Unclassified Info [CUI]).

Maturity Level 2 and 3 requirements (previously ML-3 and ML-5, respectively) are focal points of third-party independent Maturity Level Assessment and (ultimately) certification. The CMMC Maturity Level 2 requirement (in CMMC 1.0, originally referenced as ML-3) was initially split into two sub-categories to identify “prioritized” acquisitions. This would have a higher assessment standard applied for certification – and would require an independent third-party assessment every three years. The remaining organizations (i.e., non-prioritized) seeking ML-2 certification would continue much like the ML-1 certification path in completing an annual self-assessment with compliance affirmation.

CMMC Level 3 (previously ML-5) requirements are still under development, however, it is sure to require an independent third-party ML-3 assessment every three years. Firms requiring ML-3 certification operate within the defined ‘critical infrastructure’ space and/or anticipate being party to so-called ‘High Priority Acquisitions’ (as defined by the DOD). ML-3 controls increase to ≈206 (at present) and correlate with those of NIST 800-172 (in addition to -171, as required for ML-2).

The OUSD (A&S) has stated the following regarding the rollout process of CMMC 2.0, and requirements necessary for contract prerequisite fulfillment:

“With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. “

“Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. Waiver requests will require senior DoD leadership approval and will have a limited duration. The specifics of the waiver requirements will be implemented as part of the rulemaking process.”

What does this mean? Organizations seeking certification are encouraged to develop a time-constrained, measurable, and enforceable process to implement desired Maturity Level controls. This should be formally (and rigorously) documented in a Plan of Action and Milestone (POAM) document for review by assessors. There will be a selective, time-bound waiver process implemented by OSD (if needed and approved) and announced in the future as part of the rulemaking roll out. DIB members may seek preparatory advisory support on this and all other documents from Withum.

Changes must still go through the mandated DOD public comment period to solicit insight and diversified market perspectives before CMMC 2.0 is made official. Final approval could take anywhere between two to five years. However, steep acceleration over 2021-22 of large-scale, devastatingly effective cyber-attacks and the ever-increasing loss of critical and defense-related IP suggest adopting a cyber framework sooner rather than later.

Start preparing ASAP! The worst thing that can happen is you make your company more secure.

Doing business with the U.S. Government in the future will require compliance with some cybersecurity frameworks, along with a variable-requirement, structured verification mechanism by independent auditors. Given DOD’s budgetary gravitational pull and influence (the result of having a larger yearly budget than the annual GDP of nearly all full nation-states globally), the eventual Government cyber requirement will almost certainly be CMMC or NIST or, at a minimum, will be derived from one or both directly. The population numbers and a significant backlog/waiting list is expected to develop for firms.