Pentagon strips down CMMC program to streamline industry cyber assessments | Federal News Network
2021-11-04 14:48 (EST) - Justin Doubleday
The Pentagon is revising its Cybersecurity Maturity Model Certification program by massively reducing the amount of companies that would require third-party assessments and providing new waiver processes for select requirements.
The Defense Department is also suspending the CMMC pilots for select contracts until it enacts the revised rules.
DoD announced the new “strategic direction” of CMMC today after a months-long review that delayed its planned implementation this year and raised questions about the program’s future. A frequent criticism was the potential for the program’s costs to force small businesses out of the defense industrial base.
DoD is calling the revamped program “CMMC 2.0.”
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said as part of DoD’s statement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
Until the CMMC 2.0 changes are codified into federal rules, “the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” according to a Federal Register notice that was published early this morning and then abruptly withdrawn ahead of the formal DoD statement.
DoD had previously planned on initiating 15 CMMC pilot contracts this year to begin testing out its auditing mechanisms before steadily ramping up to all DoD contracts by the end of fiscal year 2025.
The CMMC 2.0 revisions include consolidating the levels under the program from five tiers to just three: foundational, advanced and expert, according to DoD’s new website for the program.
Contractors who only handle “federal contract information” and not the more sensitive “controlled unclassified information” — all businesses under the level one “foundational” requirements, as well as a “subset” of level-two — will only be required to perform annual self-assessments, according to the website.
The Pentagon had previously estimated the vast majority of the 300,000 contractors in the defense industrial base would only require the basic cybersecurity certification, meaning the CMMC 2.0 changes eliminate the need for the vast majority of third-party assessments.
Bob Metzger, who heads the Washington office of Rogers, Joseph and O’Donnell, said the revisions appear to be responding to concerns that the original program’s requirements and costs would overly burden small- and medium-sized businesses, potentially even forcing some of them out of the defense market.
“If you think about it, and resources are scarce, and we need to be respectful of the means of the companies who are being assessed, well, maybe it’s a smarter decision to take a different path for the hundreds of thousands of companies who have only that federal contract information but not CUI,” Metzger said.
Contractors who handle information that is deemed critical to national security will still require a third-party assessment of their network practices in accordance with level-two “advanced” requirements. Level two is expected to reflect the 110 security controls laid out in the National Institute of Standards and Technology Special Publication 800-171.
And the “highest priority, most critical defense programs” will require government-led assessments at level three.
Metzger said the changes retain the CMMC concept, but with a more “tightly focused” application toward companies with more sensitive information.
The revisions also include a limited waiver process for CMMC requirements under “certain limited circumstances,” according to DoD’s website. Within the same “limited circumstances” construct, the Pentagon will also allow companies to make Plans of Action and Milestone (POA&Ms) to achieve certification.
Metzger applauded the new flexibilities.
“These are needed because a program that was too demanding, that could exclude needed companies from the supply chain, that might not be able to accommodate some difficult or particular circumstances, there was a risk that more damage could be done to DoD than benefits,” he said.
The CMMC 2.0 changes also leave a place for the CMMC Accreditation Body. The CMMC AB was established outside the department as an independent entity charged with accrediting third-party CMMC auditors.
The DoD website states the CMMC AB will accredit the CMMC Third Party Assessment Organizations (C3PAOs) necessary for contractors to obtain level two “advanced” certifications. The Pentagon had previously estimated as many as 10,000 companies would need to meet the “advanced” level requirements.
The website also notes DoD “will approve all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem.” The CMMC-AB is led by industry volunteers, and has previously faced multiple conflict-of-interest complaints.
Metzger noted the accreditation body’s role will still be significant, with the thousands of companies that will require the level two certification. But he said the changes also point toward a diminished role for the accreditation body within the CMMC ecosystem, with DoD taking on a much bigger role in overseeing the administration of its program.
“I do think that DoD will take a little more responsibility than in the past in making decisions about assessment results where there are questions,” he said. “That makes sense because ultimately, the assessment regime was not for the purpose of the accreditation body. It is for the purpose of the department. Specifically, it is to protect key data assets that are relevant to key programs and requiring activities responsible for those programs and to the mission owners.”