CMMC 2.0 Rollout

Thomas Low - NDIA Junior Fellow

The Center for Strategic and International Studies estimates that cybercrime cost the world $600 Billion in 2017, and The Council of Economic Advisors estimates that malicious cyber activity cost the US economy anywhere from $57-$109 billion in 2016. With the high-profile cases of the Solar Winds and Colonial Pipeline attacks capturing headlines, keeping the Defense Industrial Base (DIB) resilient in the face of cyberattacks from adversaries has emerged as a priority. The new Cybersecurity Maturity Model Certification (CMMC) 2.0 is part of the Department of Defense’s (DoD) effort  to secure our nation’s cyber infrastructure. To help clarify the rollout of the CMMC 2.0, the Coalition for Government Procurement organized a panel during their Fall Training Conference. The panel was moderated by Bob Metzger of Rogers Joseph O'Donnell, Buddy Dees, the Director of CMMC at DoD, Stacy Bostjanick, the Director of CMMC Policy at DoD, and John Ellis, Director of the Software Division at the Defense Contract Management Agency (DCMA).  The session  detaited why CMMC version 1.0 required changes, outlined the changes introduced with CMMC 2.0, and provided stakeholders with an idea of what to expect in the coming months. 

Following the release of CMMC 1.0, DoD received 850 comments from the DIB.  The main concern was that the certifications were too complex and expensive and would stifle small businesses’ ability to compete with larger contractors.  As the number of small businesses in the DIB has already fallen by 40 percent in the last decade, concerns have arisen about the impact on the DIB’s innovation.  Further harming the connection to the innovative potential of small businesses would be crippling to the DIB and the warfighter. CMMC 2.0 attempts to assuage concerns about losing innovation by streamlining CMMC and lessening the burden on small businesses.  

The most noteworthy change introduced by 2.0 is the complete elimination of two levels of certification – levels two and four out of the original five levels.   In 2.0, to get level one certified, a company must complete an annual self-assessment of their cybersecurity maturity.  Companies that only have Federal Contract Information (FCI) just need to reach level one certification.  To get level two, companies will undergo a third-party assessment every three years. Companies in possession of Controlled Unclassified Information (CUI) are required to attain certification at this level. To meet certification at level three, a company will undergo a government assessment. If companies have high priority CUI, they will need to get level three certified. The new level one certification requires a company to be in acquiescence with 17 practices, the level two requires a company to adhere to the 110 practices listed in the NIST SP800-171, while in the third level a company would have to adhere to all of the practices in NIST SP 800-171 as well as some practices in NIST SP 800-172.  Government staff have not yet fully decided which practices in NIST SP 800-171 will be included in the third level of CMMC certification.  In order to get certified at a certain level, a company must also be certified at the previous level first. 

Another significant development from 1.0 to 2.0 is the way Plan of Action and Milestones (POAMs) are approached.  Last year, three quarters of government contractors needed POAMs to fulfill their contract obligations. In CMMC 2.0, companies will have 180 days to close their POAMs or they risk being noncompliant. The highest priority requirements will not allow POAMs at all.  Moreover, companies may need to meet a certain threshold for the number of requirements that need to be filled without POAMs.  For instance, for a hypothetical contract award, 90/100 of requirements must be filled without using POAMs.  Members of the panel encouraged companies to start now in the interim period before CMMC 2.0 takes effect to close their POAMs and get their CMMC assessments done. 

Moving forward, we can expect a few things about the rollout of CMMC 2.0. Director Buddy Dees stated that stakeholders could expect CMMC 2.0 to become effective anytime in the next 9-24 months. He also noted that before CMMC 2.0 came out, it would undergo a 60-day comment period along with a congressional review. Stakeholders should not expect a potential draft ready for comment before the end of the calendar year. Dees did not say that the government will hold any sessions with stakeholders before the draft, but mentioned that if some companies do have feedback, they could use a contact link on the CMMC website to reach a mailbox that would be checked periodically.

The panel also acknowledged some issues that could come into play in the next few months.  Sometimes it is unclear whether or not companies are in possession of CUI.  John Ellis, while recognizing the issue, emphasized that we can never really eliminate it entirely.  CUI is sometimes generated organically during a contract and Ellis asserted that it is both the responsibility of the contractor and government personnel to try and be persistent in communicating about the nature of potential CUI.  The panelists also recognized that it will be difficult for some companies to know which level of certification they should get, as the difference between prioritized acquisitions and non-prioritized acquisitions is not always clear. 

In sum, the new CMMC 2.0 attempts to streamline and clarify the process for certification while addressing concerns within the DIB from small businesses. In the meantime, while a draft rule is in the works, the panelists urged businesses in the DIB to get certified and use tools like Project Spectrum to assist them in the process. 

Topics: Cybersecurity, Cyber