U.S. Department of Defense launches CMMC 2.0

DoD announced its strategic direction for the Cybersecurity Maturity Model Certification (CMMC) program on November 4, 2021. The announcement marks the completion of an internal review and the implementation of an enhanced CMMC 2.0 program. CMMC 2.0 builds upon the initial CMMC framework to improve DoD contractor cybersecurity against evolving threats. Through version 2.0, DoD seeks to simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy, and contracting requirements; focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and increase DoD oversight of professional and ethical standards in the assessment ecosystem. 

DoD first introduced CMMC 1.0 in January 2020 (see our prior discussion of CMMC 1.0 here). CMMC created a unified cybersecurity standard and certification program for companies in the defense industrial base (DIB) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with and handled by DoD contractors and subcontractors on contractor information systems.

In September 2020, DoD published an interim rule addressing CMMC including a requirement for DoD contractors to have an appropriate CMMC level certification prior to contract award and during contract performance (see our previous comments on the rule here). The interim rule went into effect on November 30, 2020, and created a new Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, while implementing a five-year phase-in piloting strategy with the goal to include CMMC requirements in all DoD contracts by 2026.

Most recently, however, DoD issued an advanced notice of proposed rulemaking in the Federal Register, suspending CMMC piloting efforts and indicating that it will not approve inclusion of CMMC requirements in DoD solicitations until the new CMMC 2.0 changes take effect.

Summary of key changes

Through CMMC 2.0, DoD has introduced several key changes that build on and refine the original CMMC framework, described in more detail here. The main changes are as follows:

1. Elimination of levels 2 and 4 and removal of CMMC-unique practices and all maturity processes

Instead of five levels of cybersecurity maturity (e.g., basic cyber hygiene through advanced/progressive), CMMC 2.0 has been streamlined to only include three increasingly progressive levels:

• Foundational / Level 1 (same as previous level 1)

• Advanced / Level 2 (previous level 3)

• Expert / Level 3 (previous level 5)

DoD has indicated that if contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply across the board, while in cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

By eliminating all maturity processes and the CMMC unique security practices, CMMC 2.0 now aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.  For instance, Level 2 maps directly to the 110 security requirements listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, while Level 3 will include essentially all 110 controls of NIST SP 800-171, plus a subset of controls from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.[1]

2. Allowance of annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1

CMMC 2.0 has eliminated the CMMC Third Party Assessment Organization (C3PAO) assessments for Level 1. This  change should reduce costs and barriers for smaller businesses, as those companies only handling FCI will still be allowed to attest to their compliance with the 17 cybersecurity practices that map to those in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Accordingly, those contractors that do not handle information deemed critical to national security will be required to perform annual self-assessments against the articulated cybersecurity standards. This will be accompanied by an annual affirmation from a senior company official that the company is meeting requirements. DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS). For those companies that can self-attest to their compliance, they should consider the risk of false claims lawsuits from the Department of Justice’s Civil Division, given the increased scrutiny in this area. 

3. Bifurcation of CMMC Level 3 (now Level 2) requirements to identify prioritized acquisitions that would require independent assessment, and non-prioritized acquisitions that would require annual self-assessment and annual company affirmation

CMMC Level 2, which was the former Level 3, is now bifurcated:

• A subset of Level 2 companies who will not be handling information deemed critical to national security will be allowed to demonstrate compliance through self-assessments and  provide an annual affirmation that the company is meeting requirements.

• However, those Level 2 companies managing information critical to national security will be required to undergo third-party assessments by the CMMC Accreditation Body (CMMC-AB) C3PAOs. If subject to this requirement, the contractor will be fully responsible for obtaining the necessary assessment and certification. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.[2] These third-party assessments will be required on a triennial basis.

4. CMMC Level 5 (now Level 3) requirements are under development

The new Level 3 will largely rely on NIST SP 800-172, which is a supplement to NIST SP 800-171 that provides enhanced cybersecurity controls to protect CUI associated with a critical program or a high value asset from advanced persistent threats. We previously wrote about NIST SP 800-172 (formerly NIST SP 800-171B) here. Level 3 will include the highest priority, most critical defense programs and will require government-led assessments. DoD has indicated that the government-led assessments will be required on a triennial basis. The more detailed assessment requirements are currently under development, but will likely be similar to those assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center.

5. Development of a time-bound and enforceable Plan of Action and Milestone process

DoD has indicated that it will create a Plan of Action and Milestone (POA&M) process, which  is a significant change to the CMMC program. CMMC had initially required 100 percent compliance for contractors to obtain a certification for their desired CMMC level, but CMMC will allow for POA&Ms to complete CMMC requirements. DoD hopes to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. DoD also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification. DoD will also establish a minimum score requirement to support certification with POA&Ms.

6. Development of a selective, time-bound waiver process, if needed and approved

The waiver process is new to CMMC and will require senior DoD leadership approval and will have a limited duration. Specifically, a DoD program office will be required to submit a justification package that includes the specified timeline and associated risk mitigation plan. The additional specifics of the waiver requirements will be implemented as part of the rulemaking process, but DoD has indicated that a waiver will apply to an entire CMMC requirement, not individual cybersecurity practices. 

How the changes will be implemented

The CMMC 2.0 changes will be implemented through the rulemaking process. Specifically, DoD will pursue rulemaking in:  1) title 32 of the Code of Federal Regulations (CFR), to establish the CMMC 2.0 program; and, 2) title 48 CFR, to implement any needed changes to the CMMC program content in 48 CFR.

Both rules will have public comment periods, and CMMC will not become mandatory until the title 32 and title 48 CFR rulemakings are complete. At that time, contractors should then expect to see the required CMMC level in solicitations and Requests for Information, if utilized. 

Takeaways for DoD contractors

While DoD will be implementing changes to the CMMC program through additional rulemaking,[3] it encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. DoD is also exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. The Department intends to post the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance to their website in the coming weeks for informational purposes. Level 3 information will likewise be posted as it becomes available.

If you have questions about CMMC and how the requirements may apply to you, please contact an author of this post or the Hogan Lovells lawyer with whom you regularly work.