On November 9, 2021, the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) hosted a one hour Town Hall focused on CMMC Version 2.0.  Matthew Travis, CEO of the CMMC AB; Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; David McKeown, Deputy Department of Defense (DoD) Chief Information Officer for Cybersecurity (DCIO(CS)) and DoD’s Senior Information Security Officer (SISO); and Buddy Dees, Director of CMMC, DoD gave prepared remarks and answered questions during the session.

According to Mr. Salazar, CMMC Version 2.0 has been in the making for the past 8 months, and takes into account the over 850 public comments DoD received regarding CMMC 1.0.  Mr. KcKeown explained that CMMC 1.0 may have been too broad and its requirements “too onerous” especially on small and medium sized contractors.  He described CMMC 2.0 — and its use of three levels rather than five levels in CMMC 1.0 — as being based on more of a risk based approach than the original CMMC because it is primarily focused on the type of data being protected.

Buddy Dees provided greater detail regarding CMMC 2.0, but he cautioned that some details could still change.  Key details discussed about revisions in CMMC 2.0 include:

  • CMMC 2.0 will no longer have requirements that are unique to CMMC, including maturities. Along these lines, if the Department identifies gaps in security controls, it will take them to the National Institute of Standards and Technology (NIST) to consider for inclusion in future iterations of NIST publications, which are the source of existing controls that are commonly referenced in DoD controls.  If NIST concurs with a particular addition, then the appropriate NIST publication would be updated and included in the CMMC framework.  DoD said that this approach provides an opportunity for interagency discussion so that DoD can “better harmonize” with other agencies and have less bespoke DoD requirements.
  • Level 1 of CMMC 2.0 maps back to Level 1 in Version 1. The key difference is that Level 1 in CMMC 2.0 is a self-assessment rather than a third party certification.  After a contractor completes the self-assessment, a senior official from the contractor must submit an affirmation that the contractor complies with Level 1 requirements.  When asked about the reliability of the self-assessment, Salazar said that DoD hoped that having a senior official complete the affirmation would increase accountability.
  • The requirements of Level 2 of CMMC 2.0 — the minimum level to handle Controlled Unclassified Information (CUI) — now maps one to one to the controls set forth in NIST SP 800-171 Rev. 2. However, this new Level 2 will be bifurcated to account for prioritized and non-prioritized CUI.  Prioritized CUI would require an assessment by a third party assessment organization whereas the not prioritized CUI can be a self-assessment.  DoD was clear that all CUI requires safeguarding, but acknowledged that some CUI contains information that is more sensitive to DoD and would therefore be more likely to be prioritized.  The example given in the meeting was that CUI related to military uniforms would not be prioritized whereas CUI related to weapons systems would be prioritized.
  • Level 3 is most similar to Level 5 from the previous version of CMMC. One key difference is that Level 3 assessments in CMMC 2.0 will be conducted by government officials rather than by a third party assessment organization.  Level 3 will include controls set forth in NIST SP 800-172.
  • The prior version of CMMC required that a contractor meet all security controls for a Level. CMMC 2.0 allows for a contractor to use a Plan of Action and Milestones (POA&M) to plan for implementation of security controls that the contractor has not yet meet.  Under CMMC 2.0, contractors will be permitted 180 days after contract award to become complaint with any gaps described in the POA&M.  After that, the contracting officer will be able to exercise the remedies that are normally available when a contractor fails to meet contract requirements.  A subset of controls will not be permitted to be included in a POA&M.  There will also be a minimum threshold score that contractors must meet to be considered for contract award.  That score was not disclosed and it is not clear if it could be procurement specific.
  • CMMC 2.0 also introduces a waiver process for required controls that a contractor cannot or will not implement. There are three requirements for the waiver.  First, it will only be allowed in “mission critical instances” and must be submitted by the Government program office.  The submission must include a justification and mitigation strategy.  Second, it will be time bound.  The timing will be contract dependent.  Finally, it will require senior DoD approval.  DoD representatives stressed that they want to minimize overuse of the waivers.

DoD noted that it is continuing to work on the formal rulemaking process related to CMMC 2.0, which DoD anticipates could take between nine to twenty-four months.  During this time, DoD is suspending the CMMC pilot program previously introduced.  DoD is looking for ways to incentivize contractors to participate in CMMC prior to the final rule.  DoD hopes that some contractors will voluntarily seek CMMC Level 2 Certification through a third party assessment organization before the final rule is published.  DoD stressed the importance of their new CMMC website, located here, as the main source of CMMC 2.0 guidance.  DoD hopes to provide an updated model and assessment guide for CMMC 2.0 by the end of November 2021.  The CMMC AB is holding a follow-up meeting on November 30, 2021.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the proposed Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts…

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and supply chain security. Ryan also advises on FAR and DFARS compliance, public policy matters, agency disputes, and government cost accounting.  He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and 252.204-7020; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; software and artificial intelligence security, attestations, and bill of materials requirements; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he developed and implemented government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year. While in government, Ryan worked on several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, GSA Schedules and interagency acquisitions, competition requirements, and suspension and debarment, among others.

Additionally, in the wake of significant incidents affecting the program, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared employees and contractors. These efforts resulted in the establishment of a new federal bureau to conduct and manage background investigations.

Photo of Darby Rourick Darby Rourick

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and…

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and government investigations, including conducting witness interviews and managing government subpoena and CID responses. She also counsels clients on cybersecurity incident response; compliance with federal cybersecurity laws, regulations, and standards; supplier and subcontractor security issues; and cybersecurity related investigations.