On November 4, 2021, the Department of Defense (DoD) released the results of its review of the Cybersecurity Maturity Model Certification (CMMC) Framework. Release version 2.0 of the initiative includes feedback from the Defense Industrial Base and DoD agencies.
The change in executive administration earlier this year, as well as vocal feedback from the defense industrial base, have led DoD to address the most significant issues threatening a successful implementation of CMMC. Virtually all aspects of the framework and rollout have been modified, and we believe these are six of the most critical takeaways for contractors:
Simplification of CMMC Levels: The new version of the CMMC framework reduces the number of maturity levels from 5 levels to 3. Levels 2 and 4 have been eliminated and the requirements of the remaining levels have changed. Level 1 remains the minimal set of requirements, while Level 2 aligns explicitly with the current NIST 800-171 set of controls for protecting Controlled Unclassified Information. Level 3 includes all Level 2 requirements, plus more stringent practices for more sensitive DoD programs.
Return of NIST 800-171 and 800-172: Gone are Maturity Levels, as Levels 1 – 3 now require assessment and attestation of compliance with the existing NIST frameworks for protecting Controlled Unclassified Information. Because there are no process requirements defined in the NIST frameworks, there is currently no expectation for demonstrating process maturity.
The CMMC Accreditation Body will Remain: DoD and the Accreditation Body remain in regular communication and the AB will still be responsible for accrediting the CMMC 3rd Party Assessor Organizations (C3PAOs) that will perform the NIST 800-171 assessments for Level 2 certifications. While the pilot/pathfinder program has been suspended, once the dust settles on the new requirements and the AB adjusts its accreditation program, C3PAOs will be immediately authorized to conduct assessments and the AB will issue certifications at Level 2.
New Approach to Self-Attestation: CMMC was expected to eliminate the self-attestation approach to CUI protection, but CMMC 2.0 will allow some contractors to continue to self-assess and self-attest to compliance. It is important to note that, in place of a third-party assessment and certification by the CMMC Accreditation Body, executive leadership of a contractor will have to sign-off on the certification. This is a dramatic departure from the current default assumption of compliance, and will require executive leaders to be diligent in their self-assessment efforts.
Limited and Restricted Permissibility of POAMs: While permitted under the current DFARS rules, Plans of Action and Milestones (POAMs) were expected to be prohibited as part of CMMC certification. DoD has announced that CMMC 2.0 will continue to permit POAMs in limited use, placing a 180 day time limit for a POAM to be in place before it must be remediated. Contractors will not be able to use POAMs for the "highest weighted" CMMC requirements, preventing over-reliance upon on POAMs for a majority of certification requirements.
A New Interim Rule and DFARS Rule-making Process Begins: The new way forward will require specific assessment and certification requirements to be defined in Federal Acquisition Rules. Public comment periods will be offered, which will ultimately extend the period before CMMC appears in DoD contracts. While the interim rule for self-assessment and scoring of NIST 800-171 is still in place, it could be another year or more before CMMC makes it into contracts as a requirement.
DHG is a Registered Provider Organization and Candidate C3PAO with the Accreditation Body, providing various CMMC, NIST 800-171 and cybersecurity program consulting for contractors. Please reach out to DHG's Tom Tollerton for additional insight to the new CMMC 2.0 and the firm's capabilities to assist.