Key Takeaways From CMMC 2.0
What It Means for the Present & the Future
[NOTE: Schellman previously blogged on the initial roll-out of CMMC here. This article supersedes prior Schellman content as the model has been revised and updated by DoD.]
What is CMMC?
As a result of the new digital age, a rise in cybercrime has paralleled technological advances we are seeing evolve every day.
Various data breaches for well-known corporations remain spotlighted by the media, but no industry is untouched by the impacts of such attacks. In fact, our Defense Industrial Base (DIB) continues to be a prime target for exploitation by our overseas adversaries.
These attackers continue to attempt exposing highly sensitive personnel records and technical data among other information that can be leveraged criminally against the United States. Not only do these attempts and breaches place the lives of government personnel and U.S. service members at increased risk, but they also result in billions of losses to the American GDP.
It’s both a dire and costly problem for which the Department of Defense (DoD) has sought a solution.
In an effort to mitigate such risk and standardize practices for those involved with the U.S. government, the Cybersecurity Maturity Model Certification (CMMC) was developed to improve upon cybersecurity preparedness in the DIB. Initially announced on January 31, 2020, it expands upon the initiatives introduced with NIST SP 800-171 and DFARS 252.204-7012.
Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards and, as required, obtain CMMC certification as a condition of DoD contract award.
Initially, CMMC implementation was expected to be slow-walked with a limited number of contractors selected for certification in 2021 and onward, with all contractors subject to CMMC requirements by October 1, 2025. An interim DFARS rule effective November 30, 2020, was issued to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC.
But now, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) and the DoD released CMMC 2.0 on November 4, 2021. In the time since the original announcement, both a public review and a formal review by the DoD generated comments on the initial stipulations of the new program—comments that have since been used to make modifications now known as version 2.0.
Schellman has been following this developing situation since the initial announcement. To help you understand what has changed in this latest version, we have broken down this release, the differences and the carryovers, as well as what you can expect in the future.
In short, these were not small changes introduced.
In CMMC 2.0, OUSD A&S introduced several key modifications that build on and refine the original framework, including the following:
- The elimination of CMMC levels 2 and 4 entirely.
- The removal of all maturity processes from the CMMC Model.
- The removal of practices unique to CMMC (i.e., practices not included in NIST 800-171 or NIST 800-172).
- For CMMC Level 1, annual self-assessments are now allowed with an annual affirmation by DIB company leadership.
- For CMMC Level 2 (formerly Level 3), requirements are now bifurcated. For prioritized acquisitions, independent assessments are now requisite, whereas non-prioritized acquisitions will instead only require annual self-assessment and annual company affirmation.
- The development of a time-bound and enforceable Plan of Action and Milestone (POAM) process.
- The development of a selective and time-bound waiver process, if needed and if approved by DoD.
- The continued development of CMMC Level 3 (formerly Level 5) requirements.
This list represents an abbreviated summary of the extensive changes—more comprehensive information about CMMC 2.0 is available here.
More on Those Changes to POAMs & Waivers
While it’s expected that additional guidance on the use cases for POAMs and waivers in CMMC will be formally published by the DoD, some details were already provided on the November 9, 2021, CMMC-AB Town Hall shortly after the release of CMMC 2.0.
As we said before, these processes are still in development, but here is what we know so far:
- POAMs will be time-bound with a potential maximum life of 180 days.
- There will be limits on the CMMC requirements that are allowed to be placed on a POAM.
- DoD expects to develop a “minimum score” for CMMC certification, which means that critical controls or those with a high “weighted value” must be implemented (i.e., not on a POAM) to achieve the minimum score.
- CMMC waivers may be allowed on a very limited basis – in specific mission critical instances and when supported by senior DoD approval.
- Waivers must also be time bound and supported by mitigation strategies to reduce the risk to Controlled Unclassified Information (CUI) stored, processed, and transmitted by the DIB company seeking the waiver.
What Hasn’t Changed?
Amidst all this, not everything changed within CMMC 2.0:
- As was the case with its predecessor, 2.0 will also be codified through the rulemaking process, which may take anywhere between nine (9) to 24 months.
- Similarly, CMMC will not be a contractual requirement for organizations until rulemaking is complete.
And while CMMC 2.0 documentation has not yet been published, DoD and the CMMC Accreditation Body (CMMC-AB) are working to update the model, assessment guides, scoping guidance, and the assessment process. As discussed during the CMMC-AB Town Hall on November 9, 2021, these updated documents may even be published later this month.
CMMC’s Future View
Still, with all these modifications, it’s obvious now that CMMC will look different than what we’ve expected and understood for the last 18+ months under the original CMMC Model. The table below provides another view of the changes introduced with CMMC 2.0.
Going Forward: What to Expect?
Licensed Publishing Partners (LPPs), Licensed Training Providers (LTPs), and Provisional Instructors are currently coordinating to ensure that relevant training materials and content supporting the Certified CMMC Professional (CCP) accredited course, as well as the development of the Certified CMMC Assessor (CCA) accredited course, are updated and align with CMMC 2.0.
Moreover, as all this continues to progress, the first authorized CMMC Third Party Assessor Organizations (C3PAOs) expect to be granted access to the Enterprise Mission Assurance Support Service (eMASS) system where CMMC assessment results will be delivered to DoD for CMMC certificate issuance. As such, we expect that some organizations may electively undergo certification performed by said authorized C3PAOs. However, the DoD and CMMC-AB are still formalizing the details of this “voluntary” certification.
Recently having become one of those first authorized C3PAOs, Schellman employs several provisional assessors and provisional instructors. As a C3PAO, Schellman will be working in partnership with the CMMC-AB to determine subsequent impacts to Organizations Seeking Certification (OSCs), specifically as it pertains to the CMMC assessment scoping, preparation, and execution.
We hope to have more information for you soon, as we will continue to monitor the program’s evolution while CMMC 2.0 is formalized. In the meantime, if you find you have questions regarding the developments already published, we are happy to speak with you and ease your concerns.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.