New Cybersecurity Maturity Model (CMMC) 2.0 Requirements

Published: Feb 15, 2022
Share

By Jill Lawson

The DOD CIO was recently assigned ownership of the CMMC program from the DOD Acquistion and Sustainment (A&S) office, and DOD CIO and Deputy for Cybersecurity David McKeon hosted his first Town Hall on February 10,2022. Since the DOD CIO assumed ownership, the A&S CMMC 2.0 Rollout Model has been changed to ensure Covered Defense Information (CDI) is appropriately protected based upon the CMMC level in accordance with future contracts (see the chart below.)

In summary, CMMC is the DOD’s third-party certification program and provides proof contractors have implemented NIST 800-171 to protect CDI including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is any information that is not intended for public release, such as contract performance reports, organizational or programmatic charts, process documentation, etc. CUI is information provided by the government or created due to a request by the government, that requires protection such as encrypted information.

During the Town Hall, Mr. McKeon explained the updates to the DOD CIO’s CMMC 2.0 from CMMC 1.0.

CMMC Model Structure.jpg

Figure 1 Courtesy of DOD A&S CMMC Program Management Office

CMMC 1.0 Versus CMMC 2.0

CMMC Level 1 (FCI): The CMMC 1.0 NIST 800-171 (17) Practices remain the same for CMMC 2.0. What has changed in the CMMC 2.0 Model is that a third-party certification is not required. Instead, the requirement is an annual DOD Self-Assessment Score with Executive Attestation that the score is accurate and uploaded to the DOD’s Supplier Performance Risk System (SPRS). The SPRS database is referenced by DOD Contracting Officers to determine eligibility for bidding on DOD contracts.

CMMC Level 2 (CUI): CMMC 2.0 requires the NIST 800-171 (110) Practices but subtracted 20 CMMC- Specified Practices that are in addition to the NIST 800-171 practices CMMC 1.0 required. CMMC 2.0 still requires a triennial third-party certification from a CMMC Accreditation Board (AB) authorized institution.

Recognizing not all CUI has equal security risks and impacts, CMMC 2.0 allows special requests from contractors to be relieved of the third-party party certification permission, and instead upload the DOD Self-Assessment Score with Executive Attestation into SPRS. The DOD CIO will adjudicate requests that are submitted through the DOD Contracting Officer.

CMMC Level 3 (CUI): The DOD CIO has not yet released the NIST requirements for CMMC 2.0 Level 3 certification. What has been announced is that the third-party certification will come from the Defense Industrial Base (DIB) Cybersecurity Assessment Center (CAC), a division of the Defense Contract Management Agency (DCMA). To be eligible to be assessed by the DIBCAC, each Organization Seeking Certification (OSC) must have successfully certified to the CMMC 2.0 Level 2.

The CMMC Ecosystem

The DOD A&S office entered a no-cost contract with the CMMC AB to implement the DOD’s third-party certification systems. The CMMC AB contract has not been changed with the new customer now being the DOD CIO or with CMMC 2.0. The CMMC AB’s responsibilities are to create a certification ecosystem comprised of the authorized CMMC Licensed Partner Publishers (LPPs), Licensed Training Providers (LPTs) via higher education and professional training academies, Certified Assessors (CAs), Certified Third-Party Assessing Organizations (C3PAOs), and Registered Practitioners (RPs). RPs act as consultants and prepare OSCs for CAs’ assessments that lead to C3PAO certifications.

Compliance Schedule Change

With CMMC 1.0, the DOD A&S initially planned a paced roll out of contracts with the CMMC clause beginning with pilot contracts to test out the concept of a third-party certification in 2020 and culminating with the CMMC clause being included in 100% of applicable contracts in 2025. CMMC 2.0 has moved the timeline up significantly. The DOD CIO plans to enforce CMMC validations within six months of the completion of the extensive DOD Federal Acquisition Regulations (DFARS) legal approval process named the Final Rule. Upon the Final Rule release, the interim Cybersecurity DFARS clauses will be made permanent. DOD has previously stated the final rule release is between nine and 24 months starting November 2020.

Incentives

Mr. McKeon also announced that the DOD CIO is pursuing incentives for DIB companies that voluntarily pursue the triennial CMMC Level 2 certification. The incentive will be for OSCs to achieve CMMC 2.0 Level 2 certification prior to the Final Rule. Those companies may stay legally certified for three years from the Final Rule release date, regardless of the actual certification date. CMMC Level 2 Certification costs have been estimated to range from $50,000 to $100,000. This incentive has the potential to save a significant amount of money.

Call to Action

The DIB is the first line of defense, not only for DOD FCI/CUI but also for safeguarding the intellectual property that DOD depends on. The DIB is a diversified community that is interdependent on prime contractors, sub-contractors and suppliers. The DOD CIO has estimated that 80,000 DIB organizations will require CMMC 2.0 Level 2 C3PAO certifications. If you are a DIB company, or are seeking to move in that direction, pursuing CMMC 2.0 sooner will enable access to the CMMC professionals for certification, as those professionals are in high demand. The DIBCAC has certified only six C3PAOs and certification process trained professionals are less than 200.

Our Current Issue: Q1 2022