The Pentagon is revising its Cybersecurity Maturity Model Certification program by massively reducing the amount of companies that would require third-party assessments and providing new waiver processes for select requirements.
The Defense Department is also suspending the CMMC pilots for select contracts until it enacts the revised rules.
DoD announced the new “strategic direction” of CMMC today after a months-long review that delayed its planned implementation this year and raised questions about the program’s future. A frequent criticism was the potential for the program’s costs to force small businesses out of the defense industrial base.
DoD is calling the revamped program “CMMC 2.0.” The revisions are intended to carry forward the original intent of the program to ensure contractors are following best practices for protecting sensitive information on their networks, while also making it easier for small businesses to comply with the mandates.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said as part of DoD’s statement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
Until the CMMC 2.0 changes are codified into federal rules, “the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” according to a Federal Register notice that was published early this morning and then abruptly withdrawn ahead of the formal DoD statement.
DoD had previously planned on initiating 15 CMMC pilot contracts this year to begin testing out its auditing mechanisms before steadily ramping up to all DoD contracts by the end of fiscal year 2025.
The CMMC 2.0 revisions include consolidating the levels under the program from five tiers to just three: foundational, advanced and expert, according to DoD’s new website for the program.
Contractors who only handle “federal contract information” and not the more sensitive “controlled unclassified information” — all businesses under the level one “foundational” requirements, as well as a “subset” of level-two — will only be required to perform annual self-assessments, according to the website.
The Pentagon had previously estimated the vast majority of the 300,000 contractors in the defense industrial base would only require the basic cybersecurity certification, meaning the CMMC 2.0 changes eliminate the need for the vast majority of third-party assessments.
Bob Metzger, who heads the Washington office of Rogers, Joseph and O’Donnell, said the revisions appear to be responding to concerns that the original program’s requirements and costs would overly burden small- and medium-sized businesses, potentially even forcing some of them out of the defense market.
“If you think about it, and resources are scarce, and we need to be respectful of the means of the companies who are being assessed, well, maybe it’s a smarter decision to take a different path for the hundreds of thousands of companies who have only that federal contract information but not CUI,” Metzger said.
Eric Crusius, a partner at law firm Holland & Knight, said the self-attestation “makes it more dangerous for contractors because it sets up a False Claims Act litigation bonanza.”
“There’s a lot of room for whistleblowers, a lot of room for the government to come in and second guess the company,” Crusius said.
Contractors who handle information that is deemed critical to national security will still require a third-party assessment of their network practices in accordance with level-two “advanced” requirements. Level two is expected to reflect the 110 security controls laid out in the National Institute of Standards and Technology Special Publication 800-171.
And the “highest priority, most critical defense programs” will require government-led assessments at level three.
Metzger said the changes retain the CMMC concept, but with a more “tightly focused” application toward companies that handle sensitive information.
The revisions also include a limited waiver process for CMMC requirements under “certain limited circumstances,” according to DoD’s website. Within the same “limited circumstances” construct, the Pentagon will also allow companies to make Plans of Action and Milestone (POA&Ms) to achieve certification.
“These are needed because a program that was too demanding, that could exclude needed companies from the supply chain, that might not be able to accommodate some difficult or particular circumstances, there was a risk that more damage could be done to DoD than benefits,” he said.
The CMMC 2.0 changes also leave a place for the CMMC Accreditation Body. The CMMC AB was established outside the department as an independent entity charged with accrediting third-party CMMC auditors.
The DoD website states the CMMC AB will accredit the CMMC Third Party Assessment Organizations (C3PAOs) necessary for contractors to obtain level two “advanced” certifications. The Pentagon had previously estimated as many as 10,000 companies would need to meet the “advanced” level requirements.
The website also notes DoD “will approve all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem.” The CMMC-AB is led by industry volunteers, and has previously faced multiple conflict-of-interest complaints.
Metzger noted the accreditation body’s role will still be significant, with the thousands of companies that will require the level two certification. But he said the changes also point toward a diminished role for the accreditation body within the CMMC ecosystem, with DoD taking on a much bigger role in overseeing the administration of its program.
“I do think that DoD will take a little more responsibility than in the past in making decisions about assessment results where there are questions,” he said. “That makes sense because ultimately, the assessment regime was not for the purpose of the accreditation body. It is for the purpose of the department. Specifically, it is to protect key data assets that are relevant to key programs and requiring activities responsible for those programs and to the mission owners.”
In a statement, CMMC AB Chairman Matthew Travis said the changes announced by DoD are “meaningful and compelling improvements” to the program.
“There will be some short-term challenges to confront, such as curricula adjustments our training providers will now need to make, and the time requirement for yet another round of federal rulemaking,” Travis continued. “But now that there is a definitive way forward, I hope all parties move with alacrity.”
He also said he was “most encouraged by the department’s commitment to the Interim Program in which CMMC Certifications will be authorized, incentivized, and honored for those DIB companies who elect to pursue certification before the formal CMMC mandate is codified. We want to get those started soon and I expect the market demand for CMMC Certification to be significant.”
Meanwhile, the timeline for the CMMC program remains in flux. DoD says it will pursue a formal rulemaking and public comment period to implement the CMMC 2.0 changes.
Crusius said DoD could move fast with the changes, noting that “hackers aren’t going to wait for us to get our ducks in a row.”
“Rulemaking can go pretty quickly if they prioritize it,” he said. “If they issue a rule later this year, I could certainly see the final rule coming out next year and ramping up pretty quickly.”