12/02/2021 | News release | Distributed by Public on 12/02/2021 10:38
CMMC 2.0 simplifies the certification regime to:
Although these changes appear to lessen the burden on contractors (granting more time while reducing requirements), defense contractors are nonetheless well advised to proactively manage cybersecurity threats.
US information networks are targets of cyberattacks every day, and cyber threats continue to evolve. The Defense Industrial Base (DIB) is a prominent target for cyberattacks, which are becoming ever more frequent and complex.
As part of its efforts to implement Section 1648 of the NDAA for fiscal year 2020 and better protect against cyber threats, the DoD developed the CMMC program to safeguard sensitive controlled unclassified information (CUI) that is shared by the DoD with its contractors by incorporating a cybersecurity certification requirement into the defense contracting process. The initial CMMC framework was published in an Interim Rule which took effect November 20, 2020, and mandated that by 2025, most defense contracts would require prime and subcontractors to be certified by an accredited third-party assessor organization as meeting one of five levels of cybersecurity maturity.
In March 2021, Deputy Secretary of Defense Kathleen Hicks directed an internal DoD review of the CMMC program to determine whether the program was accomplishing its stated goals without creating unnecessary barriers for defense contractors. As part of the review, the Department conducted more than 1,000 interviews about challenges and questions surrounding the CMMC program and considered the more than 850 public comments that were submitted. The review produced significant changes to the program. Those program changes were announced on November 4, 2021 as CMMC 2.0.
The CMMC 2.0 requirements, like most procurement regulations, apply to contractors and subcontractors only to the extent the CMMC contract clause appears in their agreements. As of the effective date of the Interim Rule, the previous CMMC clause is no longer approved for inclusion in DoD contracts, and a new clause to implement the framework of set forth in the Interim Rule remains forthcoming. It is expected the new clause will be required in all DoD contracts and subcontracts other than those for commercial-off-the-shelf (COTS) items. Where the clause appears in a contract, it is expected to impose requirements on contractors and subcontractors that obtain and/or handle Federal Contract Information (FCI) and CUI.
Under CMMC 2.0, not all contractors will be required to obtain third-party assessments of their cybersecurity maturity. Instead, contractors undergo either a self-assessment, third-party assessment, or government assessment, based on the hierarchical CMMC level sought. For CMMC Level 1, applicable to defense contractors that do not process, store, or transmit CUI, but do process, store or handle FCI, only a self-assessment is required, the results of which are to be submitted to DoD accompanied by the affirmation of a senior company official. For CMMC Level 2, some contractors will be permitted to submit self-assessments if they do not handle information deemed critical to national security. The remaining Level 2 contractors will be required to undergo a cybersecurity maturity assessment by a Certified Third-Party Assessment Organization (C3PAO). For CMMC Level 3, contractors will have to undergo a government-led assessment of their cybersecurity maturity and compliance.
The ability to self-certify is a double-edged sword that should be used with caution. Without a doubt, self-certification might be lower cost and accomplished on a more congenial schedule than a third-party certification. Those benefits must be weighed, however, against the benefit of the rigor of neutral third-party review, and the legal benefit of not having to make an express certification that might later prove inaccurate.
CMMC 2.0 collapses the original cybersecurity maturity model framework from five levels to three (old "transitional" levels 2 and 4 have been dropped), which will simplify the program for both contractors and the DoD. Of greater effect, CMMC 2.0 removes all CMMC-unique practices and all maturity processes from all levels and allows for self-assessments in many instances, as noted above and shown in the chart below.
At this juncture, it appears Level 1 compliance under Version 2.0 will remain the same as under Version 1.0, requiring the implementation of 17 basic security practices, which have long been required under FAR 52.204-21, "Basic Safeguarding of Contractor Information Systems," and consist of a subset of the requirements set forth in the NIST SP 800-171 (although theoretically possible, it seems unlikely changes would be made to the 17 basic security practices that were required under CMMC 1.0).
Under CMMC 2.0, Level 2 compliance will require satisfactory implementation of all 110 requirements set forth in NIST SP 800-171 (with the exceptions noted below for POA&Ms and waivers). Most existing defense contractors already are familiar with NIST SP 800-171, compliance with which has been required under DFARS 252.204-7012, "Safeguarding covered defense information and cyber incident reporting" since late 2017, such that the only new or additional requirement associated with CMMC 2.0 Levels 1 and 2 will be the requirement for an attestation of a senior company official that must accompany self-assessments.
The model for Level 3, which is still under development, will include the requirements of NIST SP 800-171, plus a subset of the NIST SP 800-172 enhanced security requirements. The additional protective measures outlined in NIST 800-172 were developed for use by agencies when sharing CUI associated with a critical program or a high-value asset which is a potential target for advanced persistent threats. These requirements form the foundation for a "multidimensional, defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability." Designed to supplement the basic and derived security requirements in 800-171, subsets of the 800-172 requirements can be selected to fit the specific mission and business purposes of the agency or program.
In addition to streamlining the certification program, CMMC 2.0 adds flexibility in two respects: in certain circumstances, companies will not be prohibited from seeking contracts despite not meeting CMMC requirements if they can present POAMs that evidence a concrete plan and steps to be taken toward certification; and in limited circumstances, companies may be granted certification waivers for select mission-critical requirements, with senior DoD leadership approval and for a limited duration.
The phased rollout of CMMC 1.0 has been canceled. This is unsurprising since the phased rollout provided that 15 contracts would include CMMC requirements in FY 2021, but no such contracts were announced before the end of the fiscal year.
CMMC 2.0 will not go into effect until after the rulemaking on 32 CFR to define the CMMC regime more fully, and after the rulemaking on 48 CFR to update the procurement code. The agency estimates the rulemaking may take 9 to 24 months. That timeframe, which seems optimistic, means that across-the-board implementation could come as early as the fourth quarter of 2022. Although that date is three years earlier than the now-abandoned phased rollout of CMMC 1.0, CMMC 2.0 allows both for POAMs and waivers - removing the hard-edge compliance deadline.
Although the DoD and third-party assessment organizations are urging companies to get their cyber houses in order early - indeed the DoD is "exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period" - uncertainty abounds because details of CMMC 2.0 are yet to be announced.
Questions contractors are asking include:
Arent Fox attorneys will continue to monitor developments. If you are interested in discussing steps your company should consider toward CMMC 2.0 certification, please contact Cissy Jackson, Travis Mulley, Kevin Pinkney, or another member of Arent Fox's Government Contracts Group, or the Arent Fox attorney which whom you already work.