CMMC 2.0 to pare down cybersecurity requirements for contractors - FedScoop
2021-11-04 13:13 (EST) - Jackson Barnett
Written by Jackson Barnett
The Department of Defense’s cybersecurity compliance program for contractors will be paired down in scope and expectations, according to an acquisition regulation document.
The Cybersecurity Maturity Model Certification (CMMC) will no longer require every contractor to get a third-party certification if they do not touch controlled unclassified data, a change that could reduce the cost of compliance for thousands of contractors. The new CMMC 2.0 model, as it’s being called, is also being shrunk from five tiers to only three.
CMMC has caused both excitement and heartache for the defense contracting industry since it was first floated in 2019. Advocates argue the assessments would raise cybersecurity standards across the defense industrial base, while critics say it would penalize small businesses that can’t afford to comply with the requirements.
The new regulation document was published on the Federal Register Thursday morning, before shortly afterward being withdrawn.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The changes appear to reduce the burden on contractors after industry groups and businesses had complained to the DOD and Congress about onerous costs for meeting the previous framework.
The changes are outlined in a proposed rule change to the Defense Federal Acquisition Regulation (DFARs) that is set to be published Nov. 5.
Contractors that handle controlled unclassified information and therefore need to meet level three of the model will still need to get a third-party certification proving they meet cyber standards. But the specific controls originally established in the first iteration of CMMC will be limited to what an earlier standard from the National Institute of Standards and Technology set out for CUI.
Other changes that will impact contractors include an allowance for “Plan of Action and Milestone” (PoAM) reports, allowing contractors that do not meet every security control time to prove that they will in the future. Allowing for PoAMs has been a point of contention because failure to meet a control in a CMMC inspection would have meant a contractor could not work with DOD. PoAMs will give contractors the ability to still pass an assessment even if they are not meeting all the requirements at that time.
The new CMMC rule also introduces a broader waiver process for contractors.
The new model comes after industry groups had urged DOD for clarity on how CMMC will be implemented. Former leaders, including former Undersecretary for Acquisition and Sustinament Ellen Lord, had also urged DOD to not “let the perfect be the enemy of the good” as officials reviewed the program.
Defense contractors are not the only group that could be impacted by the changes. An industry of assessors, consultants, trainers and other cyber experts was expecting to meet demand for all 300,000 defense contractors that do business with the DOD. The vast majority of contractors that do not work on sensitive programs would have only needed a level one assessment, officials said.
With less demand, there could be less strain on the assessors that have been accredited by the CMMC Accreditation Body (CMMC AB), the third-party organization that oversees the ecosystem of assessors.
CMMC AB CEO Matt Travis recently expressed concern about the supply of certified assessors being able to meet the impending demand .
“In terms of a framework we have a pretty strong architecture, the real x-factor is are there enough Americans who are interested in becoming assessors?” he said during a recent interview with FedScoop. “I know it’s a tight labor market, so that’s probably the one thing I worry most about.”
Speaking to FedScoop, Eric Crusius, a partner at Holland Knight LLP, said questions remain over the precise nature of CMMC 2.0, but warned that allowing businesses to self-certify at CMMC level one could spur False Claims Act litigation.
“There would [likely] be a lot more room for whistleblowers under that regime,” said Crusius.
CMMC Accreditation Body , Cybersecurity Maturity Model Certification (CMMC)