At long last, the Department of Defense has completed a months-long internal review of the CMMC program and released its strategic intent for modifying and enhancing the CMMC program. CMMC version 2.0 is the result of analysis from DoD leaders and the Pentagon who reviewed inputs from GAO, DoD Inspector General, and over 850 public comments from the November 2020 DFARS interim rule.Interlaced in the strategic involvement mentioned in this blog, you will read about the key differences between CMMC 1.0 and CMMC 2.0, and what this could mean for your organization as a whole. In part 2 of this blog we will cover the remaining strategic enhancements as well as look at what steps Organizations Seeking Certification (OSCs) must take to continue preparing for CMMC assessments.
The current information on CMMC 2.0 represents the DoD’s strategic intent for enhancing the CMMC program. DoD efforts to revise and supplement the program fall into eight broad categories:
In this blog, we're going to cover the first four categories as they relate to contractors in the Defense Industrial Base: focus, clarity, alignment, and cost.
Do note here that the underlying requirements in NIST SP 800-171 have not changed. These requirements still must be implemented. If a company handles and manages Controlled Unclassified Information, or CUI, then CMMC 2.0 represents very little tangible change. You can find more information on this subject by watching my talk from a previous Cloud Security and Compliance Series (CS2) Virtual event. The biggest question will be whether or not the CUI in which you handle places you in the subset of CMMC 2.0 Level 2 - this requires external assessment. Other than that, a well-planned approach to system and security architecture would not vary much at all before CMMC 1.0, during CMMC 1.0, or currently as we begin to operate under CMMC 2.0.
DFARS and Controlled Unclassified Information (CUI)
As with previous updates to DFARS cybersecurity regulations, CMMC 2.0 requirements will be conveyed through contract clauses. As a result of some of the specific changes, DoD will need to go through the rule-making process in both Title 32 and Title 48 of the Code of Federal Regulations. Currently, the government-wide Controlled Unclassified Information (“CUI”) Program is codified at 32 CFR 2002 whereas 48 CFR contains the more familiar DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021.
Some of the programmatic changes under CMMC 2.0, such as limited duration and case-by-case waivers, must be integrated with existing regulations in 32 CFR whereas the final language that will show up in contracts will be captured by 48 CFR. CMMC 2.0 requirements will be implemented once the rule-making process is complete which is estimated to take 9-24 months as shown in the graphic below.
Here is a link to the official CMMC 2.0 ANPR.
The DoD maintains that they will pursue the rule-making process for both rules as expeditiously as possible. Under CMMC 1.0, requirements would have gone into all contracts in October of 2025 with a phased roll-out utilized in the interim. Under CMMC 2.0 the DoD has not indicated that such a phased roll-out will exist. Should the rule-making process go relatively quickly this could represent an acceleration of the original timeline under CMMC 1.0. Until the rule-making process is complete, the DoD has suspended all CMMC pilot programs, and no CMMC requirements will be prescribed in solicitations.
Many details will be revealed during the rule-making process. Questions remain about how the DoD will establish reciprocal acceptance standards for international requirements as well as other certifications, such as FedRAMP for commercial cloud services. Ultimately, the requirements under CMMC 2.0 will utilize standard DFARS contractual flowdown mechanisms to extend CUI protections to subcontractors and suppliers.
Now, let's cover four of the eight aforementioned strategic categories; we will cover the remaining four in part 2.
The largest structural change in the DoD’s approach to CMMC is the new focus on data criticality. Specifically, what the DoD is referring to as information deemed critical to national security.
The DoD has yet to define exactly what this term means or how it will be determined, however, they have acknowledged that not only is safeguarding CUI the center of gravity of the CMMC program, but the subset of CUI critical to national security will be their primary focus. According to the DoD, there are roughly 40,000 companies that fall into this new category. The DoD is notorious for having little-to-no supply chain visibility beyond Tier 1 subcontractors -- especially regarding data flow and CUI. As a result, DoD estimates are consistently underestimated by a significant margin.
The contract flowdown mechanisms mentioned earlier rarely include telemetry information back to the DoD. Additionally, the DoD is narrowing its focus on companies that support high-priority programs. The relationship between priority, national security, and criticality remains short on details.
Perhaps the most visually striking difference in CMMC 2.0 is the consolidation of the previous five-level model structure into three levels. CMMC 2.0 removes levels 2 and 4 entirely.
The streamlined model appears striking, however, the DoD had no plans to issue contracts with requirements for certification at levels 2 or 4. These levels were intended to be what the DoD calls transition as companies pursued higher levels of security maturity. As a result, CMMC 2.0 more accurately reflects what the DoD will actually require.
Although 2.0 currently maintains the same title, the maturity approach to CUI requirements has always been a poor fit. For those companies who must handle CUI in the course of doing business, they do not have the ability to achieve a certification any lower than level 2 in CMMC 2.0 (the equivalent of level 3 in CMMC 1.0). For companies that will never handle CUI to conduct business, there is very little reason to pursue the implementation of NIST SP 800-171 controls and other DFARS cybersecurity requirements. As a result, while the security controls may exist along a continuum of maturity, that is done mostly in name only.
Easily, the most popular change under CMMC 2.0 is the removal of CMMC-unique security controls (referred to as practices and processes under CMMC 1.0).
CMMC 1.0 included an additional 20 controls, often referred to as the Delta 20 as well as maturity processes which specified significant documentation requirements. Now, the DoD had made level 2 equivalent to the security requirements contained in NIST SP 800-171. Level 3 will be equivalent to a subset of NIST SP 800-172. The DoD is careful to note that by pinning CMMC 2.0 levels to NIST standards, the DoD requirements will continue to evolve as the underlying requirements change and adapt. Despite the significant changes surrounding the underlying NIST requirements, the fact is NIST SP 800-171 remains unchanged as well as the obligation to implement its 110 security controls pursuant to DFARS 252.204-7012.
The DoD touts CMMC 2.0 as a major win on the basis of cost. Comparing programs, CMMC 2.0 is much cheaper overall than CMMC 1.0 because of the removal of the assessment requirements and corresponding engineering and assessment cost estimates associated with levels 1, 2, and 4. Additional cost savings under CMMC 2.0 come from the elimination of CMMC-unique practices and maturity requirements across all levels. Further cost savings stem from the allowance of self-assessments for companies that do not handle information critical to national security (level 1 and a subset of level 2). While this does represent a dramatic reduction in the cost of the government program, for those companies who manage CUI and still need external assessment the DoD explicitly stated assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rule-making process.
Thus, companies with CUI requiring external assessment and CMMC certification should be cautious before assuming that cost savings will be as significant as the DoD claims.
What OSCs Can Do Right Now
As a refresher, your requirements for DFARS 7012 and NIST 800-171 have not changed; meeting these two compliance mandates would be the first, and next logical step if you have not already ventured down this path. For more information on these requirements, check out this video from a session during a previous Cloud Security and Compliance Series (CS2) event.
Thousands of companies have conducted NIST SP 800-171 self-assessments, calculated their scores according to the DoD Assessment Methodology, and officially reported those scores to the government via SPRS in order to comply with the DFARS interim rule holding. Because NIST SP 800-171 and CMMC are so deeply intertwined, most of those companies have used their assessments and scores as an indication of CMMC readiness - often after paying for expensive gap assessments. Unfortunately, most organizations have done these things incorrectly leading to a host of problems and exposing them to significant risk.