CMMC 2.0 isn’t going away; here’s how to prepare for it
June 8, 20222:21 pm
4 min read
The Defense Industrial Base is currently dominated by hesitancy with regard to the Cybersecurity Maturity Model Certification 2.0. The interim final rule for CMMC that was published in late 2020 was largely met with confusion and chaos, so much so that Deputy Defense Secretary Kathleen Hicks put the program on pause and ordered an internal review. Now, CMMC 2.0 has been released, and has been submitted to the Office of Management and Budget for review; however, that review won’t be complete until 2023, and the intervening time gap is giving many in the DIB the false impression that the program will likely change between now and then, or go away altogether.
“To understand the significance of the rules being published in 2023, it’s necessary to pull the camera back all the way to 2020,” said Jacob Horne, chief cybersecurity evangelist at Summit 7. “At the beginning of 2020, the initial version of CMMC was published. It got revised slightly throughout the year, and at the end of 2020, the interim final rule comes out, and that was really sort of the ‘Big Bang’ moment for many contractors in the DIB. This was when they realized that assessments were headed towards contracts. What they didn’t realize was that this follows the heels of many, many years leading up to that point. There was a large backlash from aerospace and defense contractors supporting the DoD. There was a serious lack of understanding about the separation between the program and the actual requirements.”
Since its inception, this lack of understanding has been central to the drama surrounding CMMC. CMMC is based on the controls presented in the National Institute of Standards and Technology’s Special Publication 800-171. Those controls have been required implementation for companies handling Controlled Unclassified Information for the Defense Department for years. CMMC largely didn’t stray from those requirements; it only added 20 controls and two process maturity requirements. And those, Horne said, were essentially redundancies from the old requirements.
What CMMC really changed is how the implementation of those controls was verified. Up until CMMC, vendors in the DIB were allowed to self-attest to compliance. In other words, DoD took contractors at their word that CUI and other sensitive data was protected and accounted for. But after many years and many breaches, it became clear that that standard simply wasn’t working. DoD needed a way to ensure companies were accountable, and thus CMMC was born.
Horne also said that it didn’t actually change much after the internal review period.
“The changes between CMMC 1.0 and CMMC 2.0 are mostly superficial,” he said. “CMMC 1.0 was not the cleanest and most well executed standard of all time. For those companies that have CUI, their requirements in CMMC 2.0 are exactly the same as they were before CMMC 1.0.”
What they did, Horne said, was strip away the redundancies. The extra 20 controls and two process maturity requirements are gone. So are levels Two and Four; Horne said they were never designed for use in government contracts anyways. So what’s left are three levels:
CMMC Level 1: The baseline for doing business with the federal government.
CMMC Level 2: Essentially the implementation of NIST 800-171.
CMMC Level 3: While admittedly new, draws from a second document known as NIST 800-172. DoD has said that very few companies would require CMMC Level 3.
The other major update in CMMC 2.0 is where it’s codified, meaning that the rulemaking has been established according to the official system. The original 2020 rule only updated the Federal Acquisition Regulations, providing guidance on how to insert these requirements into contracts. But CMMC 2.0 is also being added to CFR Title 32, making it a Pentagon-level program, counting it among the ranks of other programs like DoD’s Freedom of Information Act program.
“That is a dramatic increase. It is a signal of how serious the DoD is about elevating the CMMC program to a for-real, DoD-level, heavy duty, actual program,” Horne said. “It is no longer a program propped up only by a single contract clause. Now, the trade off with that is it takes more time. You have to do two rules instead of one. So it takes a significant amount of time for that process to happen.”
And that amount of time is what’s leading to the mistaken impression that it’s still subject to change, or even likely to go away. Horne said CMMC 2.0 is finished; it takes that long to work a rule of this magnitude through the bureaucratic approval process.
In the meantime, Horne said it’s worth getting started on compliance with the requirements, so that aerospace and defense contractors and higher education research institutions can be prepared when CMMC 2.0 begins showing up in contracts.
“The number one thing that I always recommend that everybody does is to look at a document called NIST SP 800-171a,” he said. “If they don’t look at 800-171a when they are evaluating consultants, service providers, technologies or their own posture towards the requirements, then they will miss out on a significant portion of their obligation. And they will have a very tough time passing their future CMMC 2.0 assessments.”
Summit 7 is a Microsoft Security and Compliance Gold Partner focused on aerospace and defense contractors who need to meet CMMC 2.0 Level 2. You can find out more by visiting: www.summit7.us.