On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Buddy Dees provided greater detail regarding CMMC 2.0, but he cautioned that some details could still change.  Key details discussed about revisions in CMMC 2.0 include:

  • CMMC 2.0 will no longer have requirements that are unique to CMMC, including maturities. Along these lines, if the Department identifies gaps in security controls, it will take them to the National Institute of Standards and Technology (NIST) to consider for inclusion in future iterations of NIST publications, which are the source of existing controls that are commonly referenced in DoD controls.  If NIST concurs with a particular addition, then the appropriate NIST publication would be updated and included in the CMMC framework.  DoD said that this approach provides an opportunity for interagency discussion so that DoD can “better harmonize” with other agencies and have less bespoke DoD requirements.
  • Level 1 of CMMC 2.0 maps back to Level 1 in Version 1. The key difference is that Level 1 in CMMC 2.0 is a self-assessment rather than a third party certification.  After a contractor completes the self-assessment, a senior official from the contractor must submit an affirmation that the contractor complies with Level 1 requirements.  When asked about the reliability of the self-assessment, Salazar said that DoD hoped that having a senior official complete the affirmation would increase accountability.
  • The requirements of Level 2 of CMMC 2.0 — the minimum level to handle Controlled Unclassified Information (CUI) — now maps one to one to the controls set forth in NIST SP 800-171 Rev. 2. However, this new Level 2 will be bifurcated to account for prioritized and non-prioritized CUI.  Prioritized CUI would require an assessment by a third party assessment organization whereas the not prioritized CUI can be a self-assessment.  DoD was clear that all CUI requires safeguarding, but acknowledged that some CUI contains information that is more sensitive to DoD and would therefore be more likely to be prioritized.  The example given in the meeting was that CUI related to military uniforms would not be prioritized whereas CUI related to weapons systems would be prioritized.
  • Level 3 is most similar to Level 5 from the previous version of CMMC. One key difference is that Level 3 assessments in CMMC 2.0 will be conducted by government officials rather than by a third party assessment organization.  Level 3 will include controls set forth in NIST SP 800-172.
  • The prior version of CMMC required that a contractor meet all security controls for a Level. CMMC 2.0 allows for a contractor to use a Plan of Action and Milestones (POA&M) to plan for implementation of security controls that the contractor has not yet meet.  Under CMMC 2.0, contractors will be permitted 180 days after contract award to become complaint with any gaps described in the POA&M.  After that, the contracting officer will be able to exercise the remedies that are normally available when a contractor fails to meet contract requirements.  A subset of controls will not be permitted to be included in a POA&M.  There will also be a minimum threshold score that contractors must meet to be considered for contract award.  That score was not disclosed and it is not clear if it could be procurement specific.
  • CMMC 2.0 also introduces a waiver process for required controls that a contractor cannot or will not implement. There are three requirements for the waiver.  First, it will only be allowed in “mission critical instances” and must be submitted by the Government program office.  The submission must include a justification and mitigation strategy.  Second, it will be time bound.  The timing will be contract dependent.  Finally, it will require senior DoD approval.  DoD representatives stressed that they want to minimize overuse of the waivers.

DoD noted that it is continuing to work on the formal rulemaking process related to CMMC 2.0, which DoD anticipates could take between nine to twenty-four months.  During this time, DoD is suspending the CMMC pilot program previously introduced.  DoD is looking for ways to incentivize contractors to participate in CMMC prior to the final rule.  DoD hopes that some contractors will voluntarily seek CMMC Level 2 Certification through a third party assessment organization before the final rule is published.  DoD stressed the importance of their new CMMC website, located here, as the main source of CMMC 2.0 guidance.  DoD hopes to provide an updated model and assessment guide for CMMC 2.0 by the end of November 2021.  The CMMC AB is holding a follow-up meeting on November 30, 2021.

Print:
EmailTweetLikeLinkedIn
Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the…

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the Cost Accounting Standards.  Prior to joining Covington, Mr. Burnette served in the Office of Federal Procurement Policy in the Executive Office of the President, where he worked on government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.