Department of Defense announces CMMC updates
The Department of Defense (DoD) is streamlining its Cybersecurity Maturity Model Certification (CMMC) program to make it easier for federal contractors to implement required cybersecurity practices and controls. The DoD announced the update in a proposed rulemaking notice published on Nov. 4, 2021.
The DoD is suspending implementation of CMMC until the updated model becomes official. It will also suspend CMMC requirements for DoD requests for proposals (RFPs) and awards of contracts.
The CMMC model follows a risk-based cybersecurity approach to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The proposed enhanced CMMC 2.0 program and its associated rulemaking is designed to protect sensitive DoD data and systems by strengthening the cybersecurity capabilities of defense industrial base (DIB) contractors, which are increasingly frequent targets of complex cyberattacks. Recent research conducted by Palo Alto Networks and the National Security Agency exposed an “ongoing effort by unidentified hackers to steal key data from US defense contractors and other sensitive targets.” The model can help protect sensitive DoD data held by contractors and help the DoD understand and verify the security posture of federal contractors.
The tiered model is largely based on the National Institute of Standards and Technology (NIST) Special Publication 800-171, which covers core cybersecurity standards. CMMC 2.0 also contains elements of NIST SP 800-172, which is a supplementary document to NIST SP 800-171.
The proposed CMMC 2.0 program comprises three cybersecurity compliance levels, whereas the original model contained five levels. For a comparison of CMMC Model 1.0 and 2.0, view this graphic: Key Features of CMMC 2.0. The new levels are:
- Level 1: Foundational. No changes in controls from the previous version. An annual self-assessment is required.
- Level 2: Advanced. Removed the 20 additional CMMC practices and process maturities. It is entirely based on NIST SP 800-171, which contains 110 security practices. Tri-annual assessments are required for “critical national security information.” Select programs may require annual self-assessments.
- Level 3: Expert. Replaces the previous Level 5 and includes additional practices from NIST SP 800-172 requirements. Level 3 contracts will require tri-annual assessments led by the government.
Goals of CMMC 2.0
- Streamline the model from five to three compliance levels
- Align with widely accepted cybersecurity practices and controls from the National Institute of Standards and Technology (NIST)
- Create more reliable assessments
- Help all Level 1 contractors and a subset of Level 2 companies reduce the costs of compliance
- Raise the accountability and oversight of third-party assessors
The DoD plans to publish CMMC models for Levels 1 and 2, along with assessment guidance, in the coming weeks. The Level 3 promodel is under development and will be published most likely in 2022.
The proposed rulemaking will then undergo a period of public comment, a process that can take from nine to 24 months to complete and result in changes to the rule. The refined CMMC 2.0 was released after a review of the 850 public comments on the original CMMC program, which went into effect Nov. 30, 2020.
It’s important to remember that CMMC 2.0 is not final and significant issues remain. For example, CUI related to “critical” national security information may have unique security requirements. What is considered critical, however, has not yet been defined. It’s likely that the DoD will make that judgment.
The CMMC Information Institute issued an open letter to President Biden indicating that the proposed version 2.0 weakens security by allowing for self-assessments that “clearly” have not, and will not, work and could weaken supply chain security. Another criticism from the Institute included an inability to operate at scale, a critical requirement since the Defense supply chain include more than 220,000 businesses.
Potential benefits of CMMC Model 2.0
Small and mid-size federal contractors are more likely to see the most significant benefits of implementing the upcoming CMMC rules. In large part, because the program can lower the cost and complexity of compliance. Other potential benefits include:
- Reduces the number of security practices required for certification from 130 to 110
- Precludes the need to hire a third-party assessor by allowing more self-assessments
- Use of well-established NIST frameworks and security controls
- Allows the DoD to verify the implementation of clear cybersecurity standards
- Includes time-bound “Plan of Action and Milestone” (PoAM) reporting that allows contractors that have not fully implemented security controls to demonstrate a commitment to doing so in the future
Get ready for the new rules
To prepare for the proposed rules, federal contractors should assess their cybersecurity program during this interim period. Furthermore, as a continued target of hackers due to the sensitive data that government contractors handle, it’s essential to get a jumpstart on new security controls and compliance obligations by continuing to update and expand security controls and review compliance capabilities.
It’s critical to begin developing a plan to communicate the new requirements to employees. Organizations should also be prepared to create new training and awareness programs.
The planning and implementation may be arduous for companies that are not yet compliant with CMMC 1.0. For those that have achieved compliance, the effort to implement CMMC 2.0 will likely be an easier lift. Either way, contractors should continue to enhance their cybersecurity posture during the interim period to hit the ground running when the new version goes into effect.
- Cybersecurity, Technology Risk, Privacy
- Accredited Cybersecurity Maturity Model Certification (CMMC) assessment and consulting services
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.