On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”
In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements.
Unlike the original model, CMMC 2.0 will also allow for waivers to certification “under certain limited circumstances” for “select mission-critical requirements.” Waivers will need to be approved on a case-by-case basis by senior Pentagon leadership. In addition, DoD will specify a baseline number of cybersecurity-related requirements that must be achieved prior to contract award, but will allow companies to complete the remaining requirements at a later time in accordance with a plan of actions and milestones (POA&M).
CMMC 2.0 changes will be implemented after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement, following a public comment period. While the rulemaking is ongoing, the original CMMC requirements will no longer be included in any contract until the rulemaking efforts are complete. This could take anywhere from 9 to 24 months.
In the meantime, contractors should continue to meet the present requirements found in their respective contracts. For example, if a Defense contract incorporated the current CMMC clauses (DFARS 252.204-7019, -7020, and -7021), the contractor needs to continue compliance efforts until the respective contracting officer directs otherwise and provides a written modification. That means contractors still need to submit their Basic Assessments under the CMMC 1.0 framework, as required by DFARS 252.204-7020, if they have not already done so. As we recently shared on a webinar, businesses of all kinds will do well to take note of these requirements and international standards as a matter of best practice in the ongoing effort to reduce risk to information and systems.