For the past several months, there has been a frantic scrambling by all stakeholders involved in the Cybersecurity Maturity Model Certification (CMMC) program — the Accreditation Body (AB), the Defense Department, the third-party assessment organizations (C3PAO) and defense industrial base (DIB) vendors — to determine the best path forward to secure the nation’s supply chain. This was CMMC’s implicit goal from the beginning. The problem was that the program was never really thought through. It wasn’t clear how to implement the requirements, the requirements themselves kept changing, and bottlenecks constantly popped up toward implementing what did seem to be settled.
Then on Nov. 4, DoD released a new document, “48 CFR Chapter 2 — Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward,” that outlined some monumental changes to the CMMC program. DoD also updated its CMMC reference website to include new details of what CMMC 2.0 will look like. I urge everyone to go to the website and take a look.
At a high level, here are the important takeaways from CMMC 2.0:
There are now going to be three levels of security, reduced from CMMC 1.0’s five levels.
The new Level 1 security retains the same 17 controls as CMMC 1.0 Level 1 but removes independent validation requirements, allowing DIB vendors to perform annual self-assessments.
The new Level 2 (previously CMMC 1.0 Level 3) now includes only the 110 practices from NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The additional 20 practices and three processes borrowed from other security frameworks (e.g., FAR Clause 52.204-21, NIST 800-53 Rev. 4, NIST CSF v1.1.)that were part of CMMC 1.0 have been removed.
In addition, only those DIB vendors with critical national security information will require tri-annual independent third-party assessments.
DIB vendors without critical national security information will be allowed to perform annual self-assessments.
The new Level 3 (Previously CMMC 1.0 Level 5) now only includes the practices from NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, a supplement to NIST SP 800-171.
Given the details above, many in the industry are considering the Nov. 4 release to be the equivalent of an atomic bomb. It’s my opinion that the CMMC program has been “blown up,” and I think we all need to wait for the dust to settle. Since CMMC’s inception, it feels like everyone has mashed the gas pedal to the floorboard wanting to get ahead of the rest of the crowd, to be the first in every aspect of the program. To be frank, this mentality led to stakeholders getting burned by the changes represented by CMMC 2.0. There’s no other way to explain it; some businesses made expensive investments into CMMC 1.0, and it’s likely those investments will not pan out the way they hoped they would.
In light of recent events, my recommendation is that everyone needs to step back and take a breath. Let’s all let the DoD and the CMMC-AB (if it will still exist in this CMMC 2.0 world) put pen to paper and codify what CMMC 2.0 will actually look like to prevent the same fallout from CMMC 1.0 hitting us all again with 2.0.
In the meantime, NIST 800-171 always has been and continues to be the law of the land. If your DIB organization processes, stores, and/or transmits confidential unclassified information, you’ll need to ensure that you implement NIST 800-171 in its entirety. Whether you’ll eventually need an independent third-party to assess your implementation or you’ll be able to self-assess doesn’t really matter. NIST 800-171 provides a solid baseline to securing critical data, and it’s the bare minimum that every vendor that does business with the DoD should put squarely in its sights.
Johann Dettweiler is the Director of Operations at TalaTek, a Cerberus Sentinel company.
CMMC, cybersecurity, acquisition initiatives made the federal IT community take notice