CMMC 2.0 could take as long as two years to come online

The Pentagon is encouraging defense contractors to follow cybersecurity practices laid out by the National Institute of Standards and Technology, but new requirements will not show up in contracts for at least nine months, with the potential for the rulemaking process to stretch out as late as fall 2023.

Meanwhile, a Defense Department official said about 40,000 companies will still require a third-party assessment under the revamped Cybersecurity Maturity Model Certification program.

During a virtual town hall hosted by the CMMC Accreditation Body on Tuesday night, Pentagon officials explained the CMMC 2.0 changes announced last week and previewed the new path forward for the long simmering program.

“My hope is that no company in the [defense industrial base] or in the broader commercial market is waiting for DOD contractual requirements to begin its cyber readiness process,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said during the meeting. “We are encouraging all companies to start to improve their cybersecurity.”

Buddy Dees, director of CMMC within the office of the under secretary for acquisition and sustainment, said the Pentagon will be going through a dual-track rulemaking process to implement the CMMC 2.0 changes.

DoD will lay out the new policies, such as waiver processes, through Title 32 National Defense regulations. The Pentagon will also codify the policy into Title 48 Federal Acquisition Regulations so contracting officers can use CMMC 2.0 in acquisitions.

The Pentagon is suspending its CMMC pilots and will not require the certification as part of any contract until after the rules have been finalized, including a 60-day public comment period prior to the rule taking effect, according to Dees.

“Rulemaking is not a fast process by any means,” Dees said. “And in general, we’re looking at somewhere between nine and 24 months to complete both of the rulemaking efforts.”

DoD began rolling out the program more than two years ago, and officials had planned to start including the CMMC requirements in contracts this year prior to the review.

Dees said the Pentagon is aiming to publish details on the updated CMMC 2.0 standards on the program’s website by the end of the month.

CMMC 2.0 is the result of a months-long Pentagon review after lawmakers and industry raised concerns that the program would be too costly and onerous for many in the defense industry, especially small businesses.

DoD officials ultimately decided to shift to a model where companies that don’t handle data deemed critical to national security will only have to self-attest to their cybersecurity practices on an annual basis.

“We feel that maybe first go-around, we cast too wide of a net, and attempted to enforce some cybersecurity practices on companies that maybe didn’t need to have them because the data that they possessed really wasn’t sensitive DoD data,” Dave McKeown, deputy DoD chief information officer for cybersecurity, said during the town hall.

Defense contractors already have to confirm they’re following cybersecurity practices, but DoD rarely enforces those requirements. Salazar said the difference with CMMC 2.0 is level one contractors will need a senior executive to sign off on the firm’s compliance on an annual basis.

“There is a clear requirement and clear accountability,” he said.

During a separate event hosted by C4ISRNet on Wednesday, McKeown gave greater clarity on the number of companies that will still require a third-party assessment versus those that will only need to submit a self-assessment

DoD estimates there are 220,000 companies in the defense industrial base, and about 140,00 only hold “federal contract-related data,” meaning they’ll fall into the “level one” bucket requiring only a self-assessment, according to McKeown.

“It’s not information that anyone would really care about if it was lost to the enemy,” he said. “We’re not going to see a new F-35 roll out because somebody lost that data.”

Meanwhile, about 80,000 contractors also hold controlled unclassified information and fall into the level two “advanced” stage. McKeown said half of those contractors — roughly 40,000 companies — hold CUI that is considered critical, and those companies will require a third-party assessment.

The other half holding less sensitive CUI will  only be required to submit a self assessment.

Finally, McKeown said roughly 500 companies fall into the “level three” category. Those contractors are working on highly sensitive programs and will need to follow “expert” cybersecurity practices. They’ll be audited by an internal DoD division, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

“All good improvements, we think, and will be less onerous on the small- and medium-sized businesses that don’t have any data we’re really concerned about,” McKeown said.

Meanwhile, during Tuesday’s town hall event, officials also emphasized how DoD will strictly align the CMMC 2.0 requirements to the National Institute for Standards and Technology standards, such as NIST Special Publication 800-171 for protecting controlled unclassified information. The original CMMC program had added several additional requirements on top of the NIST standards.

If extra controls are needed for CMMC, DoD officials said they would work through NIST to get them added

Salazar suggested the process could yield more uniform contractor cybersecurity requirements across government.

“This gives us an opportunity to engage in a policy and an interagency policymaking process and work with NIST in order to make those kinds of changes,” he said. “What we wanted to do was better harmonize with the broader federal government so that we could not have companies try to navigate multiple bespoke requirements from the DoD.”

The Pentagon will also allow companies that don’t have all the security controls in place to submit a plan for meeting the rest of the required measures, referred to as Plan of Action and Milestones (POA&M).

But Dees said the plans would come with a hard deadline. DoD is currently considering a 180-day timeline from contract award for companies to meet the measures laid out under their plans.

“That means that a company doesn’t have to have all the requirements met [at contract award], but 180 days after their contract award, then they would be required to close out any open POA&M actions,” Dees said. “By that time, if a company failed to meet that requirement on the timeline, then a contracting officer would have the ability then to implement the normal remedies for failure to meet contract requirements.”

Dees also said the Pentagon will put limitations on what can be deferred into a POA&M, with some of the “highest weighted” cyber controls being necessary prior to contract award.

“We are going to go through a process where we’re going to identify a threshold minimum score that a company must have in order to meet the requirement for contract to be eligible for contract award,” Dees said.

CMMC 2.0 also introduces a limited waiver process for the certification requirements

“There could be cases that are mission critical, when it would be in the best interest to at least temporarily waive the CMMC requirement for a particular acquisition,” Dees said. “We’re laying that process out now.”

He said waivers will be considered on a case-by-case basis and will require senior DoD leadership approval.

Role for the CMMC AB?

The accreditation body’s role in the revamped CMMC process was a less-discussed topic during the town hall. The demand for the independent body to train and accredit third-party assessors was drastically reduced by the CMMC 2.0 changes.

But Salazar confirmed the Pentagon would continue to work with the organization as it moves forward. He said DoD has seen “a real professionalization” of the accreditation body over the last few months, and highlighted an agreement that DoD will approve updates to the organization’s conflict-of-interest policies.

“Our intent is to stick with the AB as our assessor, as our trainer, as our partner on this,” Salazar said.

Matthew Travis, chief executive officer of the CMMC AB, said the IRS confirmed the accreditation body’s tax-exempt, non-profit status on the same day the CMMC 2.0 changes were announced last week. He said the decision was not related to the announcement.

Travis applauded the changes and DoD’s confirmation that the body would continue to play a role in the CMMC process.

“Obviously, there’s going to be some concerns about some of the changes depending on what part of the ecosystem people reside, but there’s a way forward,” Travis said. “It’s through a risk management lens. And … the conversation is just now beginning.”

(Jared Serbu contributed to this story) 

Related Stories

Comments