On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0. Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.
According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0. Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors. He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.
Buddy Dees provided greater detail regarding CMMC 2.0, but he cautioned that some details could still change. Key details discussed about revisions in CMMC 2.0 include:
- CMMC 2.0 will no longer have requirements that are unique to CMMC, including maturities. Along these lines, if the Department identifies gaps in security controls, it will take them to the National Institute of Standards and Technology (NIST) to consider for inclusion in future iterations of NIST publications, which are the source of existing controls that are commonly referenced in DoD controls. If NIST concurs with a particular addition, then the appropriate NIST publication would be updated and included in the CMMC framework. DoD said that this approach provides an opportunity for interagency discussion so that DoD can “better harmonize” with other agencies and have less bespoke DoD requirements.
- Level 1 of CMMC 2.0 maps back to Level 1 in Version 1. The key difference is that Level 1 in CMMC 2.0 is a self-assessment rather than a third party certification. After a contractor completes the self-assessment, a senior official from the contractor must submit an affirmation that the contractor complies with Level 1 requirements. When asked about the reliability of the self-assessment, Salazar said that DoD hoped that having a senior official complete the affirmation would increase accountability.
- The requirements of Level 2 of CMMC 2.0 — the minimum level to handle Controlled Unclassified Information (CUI) — now maps one to one to the controls set forth in NIST SP 800-171 Rev. 2. However, this new Level 2 will be bifurcated to account for prioritized and non-prioritized CUI. Prioritized CUI would require an assessment by a third party assessment organization whereas the not prioritized CUI can be a self-assessment. DoD was clear that all CUI requires safeguarding, but acknowledged that some CUI contains information that is more sensitive to DoD and would therefore be more likely to be prioritized. The example given in the meeting was that CUI related to military uniforms would not be prioritized whereas CUI related to weapons systems would be prioritized.
- Level 3 is most similar to Level 5 from the previous version of CMMC. One key difference is that Level 3 assessments in CMMC 2.0 will be conducted by government officials rather than by a third party assessment organization. Level 3 will include controls set forth in NIST SP 800-172.
- The prior version of CMMC required that a contractor meet all security controls for a Level. CMMC 2.0 allows for a contractor to use a Plan of Action and Milestones (POA&M) to plan for implementation of security controls that the contractor has not yet meet. Under CMMC 2.0, contractors will be permitted 180 days after contract award to become complaint with any gaps described in the POA&M. After that, the contracting officer will be able to exercise the remedies that are normally available when a contractor fails to meet contract requirements. A subset of controls will not be permitted to be included in a POA&M. There will also be a minimum threshold score that contractors must meet to be considered for contract award. That score was not disclosed and it is not clear if it could be procurement specific.
- CMMC 2.0 also introduces a waiver process for required controls that a contractor cannot or will not implement. There are three requirements for the waiver. First, it will only be allowed in “mission critical instances” and must be submitted by the Government program office. The submission must include a justification and mitigation strategy. Second, it will be time bound. The timing will be contract dependent. Finally, it will require senior DoD approval. DoD representatives stressed that they want to minimize overuse of the waivers.
DoD noted that it is continuing to work on the formal rulemaking process related to CMMC 2.0, which DoD anticipates could take between nine to twenty-four months. During this time, DoD is suspending the CMMC pilot program previously introduced. DoD is looking for ways to incentivize contractors to participate in CMMC prior to the final rule. DoD hopes that some contractors will voluntarily seek CMMC Level 2 Certification through a third party assessment organization before the final rule is published. DoD stressed the importance of their new CMMC website, located here, as the main source of CMMC 2.0 guidance. DoD hopes to provide an updated model and assessment guide for CMMC 2.0 by the end of November 2021. The CMMC AB is holding a follow-up meeting on November 30, 2021.