CMMC: Cybersecurity Maturity Model Certification
In November 2021, DoD launched “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
These changes will be implemented through the formal rulemaking process.
While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.
Overview of Information Requiring CMMC Certification
DoD has issued CMMC 2.0. At this time, the changes that have been promulgated will have no immediate impact to members in the Defense Industrial Base (DIB). Changes will go through the formal rule making process which may take anywhere from 9 to 24 months. As a result, DoD has stated that “while these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.”
Even though DoD intends to suspend the CMMC Piloting effort, DoD is in favor of companies which voluntarily pursue CMMC certification from C3PAO’s approved by the CMMC-AB. To further its goal of better cybersecurity and underscore the importance of members of the DIB being able to protect sensitive information, DoD is exploring incentives that may be used to encourage members of the DIB to voluntarily achieve CMMC Level 2 certification. At this time, there is no information or examples that describe what an incentive may involve.
Therefore, until these changes are formally announced, and implemented, or new regulations are issued, members of the DIB should continue to focus on continually reviewing and improving their cybersecurity, and cyber-resilience by working to strengthen their programs and reducing the number of items on their Plan of Action and Milestones (POA&M) developed under NIST SP 800-171 r2. Currently, the following clauses are active and address cybersecurity requirements – FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7019 and DFARS 252.204-7020. It is important to note that all these clauses include flow-down requirements. Businesses should also review all solicitations and award documents to identify any unique and specific requirements.
Companies should also be aware that adherence to or compliance with a single clause may not relieve them of other responsibilities that result from other applicable U.S. Government statutory or regulatory requirements. Companies need to identify all documents and information security and handling requirements that are unique to each document. This would include company IP, customer IP, FCI, CUI, ITAR, Export Controlled, NOFORN and other program information. Each program has its own security requirements, and the handling of any document must conform to the most rigorous handling requirements which include sharing information with subcontractors/suppliers and how to properly dispose of sensitive information.
With respect to CMMC 2.0, the following are noteworthy changes:
- The number of Levels has been reduced from five to three. This change removes what were identified as Levels 2 and 4 under CMMC v1.02. Under CMMC v2.0, DoD will identify mandatory security measures that companies must have in place and maintain for contract award/compliance. POA&M’s will be allowed but will have timelines attached to outstanding elements. Failure to comply with the specified timeline requirements will be subject to normal and authorized contractual actions taken by contracting officers for failure to meet any other contractual responsibilities. Additionally, under CMMC 2.0 DoD will consider waivers to CMMC requirements. Waivers will be considered only when submitted by the government with justification and risk-management strategies. Waivers will be considered on a case-by-case basis, they will be time-bound, and will not automatically apply to follow-on requirements.
- CMMC 2.0 will utilize only NIST requirements. CMMC Level 2 will follow NIST SP 800-171 requirements. DoD unique requirements will not be created. If DoD determines that additional security measures are required DoD will work with NIST to update the appropriate publication.
- CMMC 2.0 Level 1 will only address securing Federal Contract Information (FCI). This level is identified as being Foundational and will include the current 17 security measures identified under CMMC v1.02. Companies will certify their compliance with Level 1 requirements by annually submitting a self-certification. It is expected that the self-certification will take the form of an affidavit submitted by either the owner or a senior company official.
- CMMC 2.0 Level 2 is referred to as Advanced and will address measures necessary to secure Controlled Unclassified Information (CUI). Companies will be required to implement the 110 security controls listed in NIST SP 800-171. DoD has determined that there are varying levels of CUI and therefore not all CUI poses the same threat to National Security. As a result, a subset of Level 2 solicitations will only require an annual self-certification and presumably an affidavit submitted by either the owner or a senior company official. Examples of CUI that might be an example of this subset may be requirements related to uniforms or food items. Alternatively, procurements that are more directly related to national security issues such as weapons systems will be categorized as being more sensitive. Companies that handle this information be required to undergo a triannual third-party certification from the CMMC-AB.
- The most sensitive information defined as CUI will be protected by companies that achieve CMMC 2.0 Level 3 or Expert certification. This level of certification will require compliance with the 110 controls in NIST SP 800-171 and a subset of requirements from NIST SP 800-172. Additionally, these companies will undergo triannual assessments led by government officials.
Overall, the changes made reflect an effort to ensure that information related to national security is provided adequate protection while attempting to create a system that affords flexibility and consideration of the time, effort and cost necessary to develop and maintain a cybersecurity program.
- DoD CUI program page: https://www.dodcui.mil/
- DoD CMMC 2.0 home page: https://dodcio.defense.gov/CMMC/
- FAR 52.204-21: https://www.acquisition.gov/far/part-52#FAR_52_204_21
- DFARS 252.204-7012: https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7012
- DFARS 252.204-7019: https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7019
- DFARS 252.204-7020: https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7020
- NIST SP 800-171 r2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
- Supplier Performance Risk System (SPRS): https://www.sprs.csd.disa.mil/
For additional information on the new CMMC requirements please contact Matt Frost at MattF@wispro.org or 608-293-0920.
[Updated March 2023]