Debunking Myths About CMMC 2.0
The cybersecurity world remains dynamic. On November 4, 2021, the Department of Defense (DoD) posted an update to its Cybersecurity Maturity Model Certification (CMMC) initiative, announcing program changes dubbed CMMC 2.0. These changes were driven by a tremendous amount of industry input; taken into consideration during the DoD’s review of the program over the past six months. The announced changes will impact the actions of DoD contractors as well as the service provider and vendor ecosystem that supports the defense industrial base (DIB).
To help government contractors better navigate the changes, I’d like to offer a few words of caution regarding some myths circulating about CMMC 2.0. Since we’re talking about the security of our nation, it’s important that everyone dig deeper than the headlines and ensure we are doing the best we can to build a resilient, well-defended DIB. Our nation is counting on us.
Myth One: CMMC is “on hold”. The DoD has stated their intent to move quickly now that their internal review is completed. The CMMC Accreditation Body (AB) and the DoD are both moving forward. Given that CMMC 2.0 now aligns exactly with current federal acquisition regulations (FAR) and defense federal acquisition regulation supplement (DFARS) requirements (in effect since 2017), they are not likely to allow a significant grace period for companies to come into compliance.
Myth Two: The rulemaking process is likely to slow things down. While it’s true that the rulemaking process can be excruciatingly slow, the DoD’s intent with CMMC 2.0 is to make the program easier and faster to implement. We may actually see CMMC getting into contracts faster than the original 2025 planned rollout date.
- The DoD has made a strong point about “streamlining” and “eliminating barriers.” CMMC 1.0 was on a five-year rollout timeline, and one big rate-limiting factor on the rollout was the capacity of CMMC third-party assessment organizations (C3PAOs) to perform third-party assessments. CMMC 2.0 greatly reduces the number of companies that need a C3PAO assessment, and this will enable a faster rollout and implementation cycle.
- Since the CMMC-specific (dubbed the “Delta 20”) practices and the maturity processes have been removed, CMMC 2.0 Level 2 is exactly aligned with the current DFARS 7012 requirements from the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. Therefore, DoD will not need to allow for additional time or cost for companies to implement the required 110 practices, since all contractors have been required to have those practices in place since 2017.
- The DoD said the rulemaking process is expected to take nine to 24 months. Once completed, we could see a very fast implementation of CMMC requirements in new contracts.
Myth Three: CMMC has become easier. Level 1 is essentially unchanged; Level 2 has become marginally easier and Level 3 is still to be determined, but likely a bit easier due to the elimination of the maturity processes. However, CMMC 2.0 can evolve and change faster than CMMC 1.0. We should expect the bar to rise as the threats we face adapt to our new security posture.
- Requirements will evolve as NIST SP 800-171 and 172 (and associated assessment guides) are updated without the need for a change to the CMMC regulations or model.
- The criteria for prioritizing contracts that require a C3PAO assessment are in the hands of the DoD and, if they shape the regulations as expected, can change as the ecosystem of available C3PAOs gets up to speed.
- Level 3 audits are now conducted by the government rather than C3PAOs.
Myth Four: CMMC will now cost less. Some aspects of CMMC will cost less, while others will not.
- For Level 1 companies, a tri-annual C3PAO assessment has been replaced by a self-assessment. While a self-assessment will generally cost less than a C3PAO assessment, it has to be done three times as often and the assessment procedure that must be followed is likely to be the same.
- For Level 2 companies, the elimination of CMMC 1.0’s Delta 20 practices and the maturity processes reduces the number of items that must be assessed. This will reduce the cost of C3PAO assessments. For those that are allowed to do a self-assessment, this will be an annual requirement rather than tri-annual for the C3PAO assessments and the assessment procedure is the same.
Myth Five: DIB companies can wait for the rulemaking to be finalized before making cybersecurity decisions.
- Threat actors are not waiting until CMMC is fully rolled out to attack the DIB. This fact alone signals that we should not delay improvements to our cybersecurity hygiene.
- The DoD has published its intent and they have said the details of the CMMC 2.0 standard will be published ahead of (or as part of) the rulemaking. Because Level 2 will correspond exactly to the current NIST SP 800-171 practices that are already required by DFARS 7012, contractors have no reason to wait to implement those practices. In fact, they are at risk of non-compliance (and the associated penalties) if they do not currently have a 110 self-assessment score in the DoD’s supplier performance risk system (SPRS).
- It is advisable for companies that currently have a 110 SPRS score to voluntarily seek certification as soon as C3PAO assessments are commercially available. First, this will give those companies an edge over competitors that are still working on raising their SPRS score. Second, a C3PAO assessment is good for three years and will ensure the ability to bid on any contract that requires it as CMMC 2.0 rolls out.
- As the requirements for the new CMMC Level 3 have not yet been published, contractors cannot actively seek this level now. They can, however, implement supplemental (above Level 2) controls as indicated by a security risk assessment. Specifically, this should focus on three areas:
- 1) Non-federal organization (NFO) controls from NIST SP 800-171 Appendix E (i.e., those that are “expected to be routinely satisfied”)
- 2) “non-confidentiality controls” (i.e., those marked “NCO” in Appendix E of NIST SP 800-171) controls from NIST SP 800-171 Appendix E (i.e., those that relate to integrity and availability rather than confidentiality of controlled unclassified information [CUI])
- 3) selected controls from NIST SP 800-172 that are relevant to risks faced by the organization.
- All three of these areas should be addressed by risk assessment to ensure that the correct controls are selected. It is not advisable to blindly follow the NIST SP 800-171, as it is not a comprehensive cybersecurity standard. Rather, by design, it only addresses exfiltration of CUI.
Myth Six: The expanded use of self-assessment under CMMC 2.0 means “do it yourself” is more feasible.
- The complexity of the requirements has not changed significantly and the requirement for an annual self-assessment and affirmation means that companies should still rely on expert third parties to conduct their security and IT operations in a compliant manner.
- The summary SPRS score is likely to be replaced by a detailed self-assessment report under CMMC. Following the assessment guide will require skilled personnel and answering questions of interpretation will still be best handled by CMMC registered provider organizations.
In closing, although the complexities associated with an effective cybersecurity program have not changed significantly, CMMC 2.0 has basically unblocked compliance by making it even more affordable and achievable. Most in the DIB have self-attested they are compliant with NIST SP 800-171 since 2017. CMMC 2.0 builds on this requirement with increased scrutiny, enforcement and the selective addition of controls where needed. With CMMC 2.0 rulemaking expected to take nine to 24 months, contractors should use the time prior to the CMMC rollout wisely to ensure they are fully compliant with current requirements and are ready to demonstrate this to a C3PAO or government auditor if they have CUI.