The announcement of CMMC 2.0 has garnered a lot of attention throughout the Defense Industrial Base (DIB). With that attention comes the anxiety of change and uncertainty, especially for both the DIB and their consultants who have already made considerable progress toward accomplishing their CMMC objectives. Although these changes seem daunting, it’s important to consider that most of these changes are simply a refinement of the existing CMMC requirements, rather than a redefinition of the standards altogether. Most, if not all, of the reported changes are controls and practices that an organization following CMMC 1.0 has currently implemented or is currently working towards completing, and there are a few other changes that organizations should be aware of beyond the proposed realignment of the levels. Despite the waves that the CMMC 2.0 has caused, it should also be noted that the 2.0 standards have not been finalized and are subject to change before becoming part of the law.
An Overview of the CMMC 2.0 Changes
So, what are the changes to the CMMC 2.0 that organizations should be keeping in mind through this evaluation period? In short, not as much as you would think. Many of the requirements and their implementation timelines will remain the same. As with CMMC version 1.0, the CMMC 2.0 requirements will apply to all primes and subcontractors within the DIB, but what will change is how the requirements will be structured. Rather than the original CMMC’s five maturity levels, CMMC 2.0 will have 3 maturity levels based on the covered information within the system. The original intent was for DIBs to progress to their obligated level starting with level 1, and from there to progress through each level up to their required level (usually 3 or 5). CMMC 2.0 does away with this progression, specifying an organization’s obligated level (likely CMMC v.2, levels 1 or 2) that will be based upon the sensitivity of the CUI or FCI contained within the system. An overview of each level will be provided later in this article.
According to the DoD, the overall changes and objectives of the CMMC 2.0 are meant to help streamline and simplify the compliance process for organizations although they should probably be considered more as a refinement of the CMMC 1.0 requirements, rather than a redefinition of the framework’s standards altogether. A significant change worth noting within CMMC 2.0 is the ability to leverage POAMS, which were previously only allowed under NIST SP 800-171. While permitted for limited cases, this is a considerable change to any organization’s CMMC compliance strategy that will help spread the costs of implementing some of the controls over several months and ultimately help encourage DIBs to comply with the full breadth of the CMMC 2.0’s requirements. However, despite this concession, and unlike the NIST SP 800-171 POAMS, there will be stringent timelines (180 days) to remediate the gaps in an organization’s compliance strategy rather than how they’re often used today as a means to indefinitely postpone their implementation.
CMMC 2.0 Self Assessments & Accountability Standards
Another significant change is the addition of self-attestation at the lower levels. Although self-attestation seems like a great opportunity to minimize 3rd party assessment costs, there are several concerns and pitfalls that organizations should keep in mind as part of this new provision. Self-attestation requires someone at the business to perform a NIST SP 800-171 self-assessment (at level 2), providing a statement to the government that they are meeting all of the controls of NIST SP 800-171. Although this is seemingly straightforward, this new modification presents a considerable risk in the form of the False Claims Act (FCA) and holds any organization financially and criminally liable if it’s discovered that they are not fully compliant through an intentionally false statement or inadvertent act that renders them non-compliant. In short, the DoD is making it abundantly clear that ignorance is no longer a valid excuse when it comes to attesting to an organization’s compliance with NIST SP 800-171, and any breaches that can be perceived as deceptive that conflict with the self-assessment findings could present a multitude of liabilities to the organization and the leadership staff that sign-off on these assessment attestations. (Ethically, this author must discourage self-attestation by organizations. The financial risk of self-attestation far outweighs the potential of savings forgoing the cost of an independent 3rd party assessor or C3PAO.)
Alongside the new self-attestation requirements, the other considerable change to the CMMC 2.0 framework is that it moves from a five-level model to a three-level model, eliminating levels 2 and 4 which were found to have little practical use. As always, the required levels will be based on an organization’s contract requirements which take into account factors such as information sensitivity, (eg. FCI, ITAR, or CUI) on unclassified systems and will be based on the familiar NIST standards, depending on the required level. It should be noted that if an organization is already CMMC compliant-ready, the adoption of CMMC 2.0 should be rather straightforward. For organizations that aren’t quite there yet, similarly to CMMC v.1, each level will incorporate increasing levels of complexity, requiring a higher level of security and expertise to accomplish.
The CMMC 2.0 Levels Explained
The first level of CMMC 2.0 is titled “Foundational” and is frequently referred to simply as “Level 1.” It requires an annual self-assessment with 17 required practices but falls short of what most cybersecurity professionals would consider a minimum standard of security, as it does not follow many established minimum best practices such as the use of multi-factor authentication, SIEM, and end-user security awareness training solution.
The second level of CMMC 2.0, titled “Advanced” is similar to the CMMC 1.0 level 3. This incorporates NIST SP 800-171R2 controls as the standard but may cause some confusion, as there are two categories to this level. The first applies to a limited list of organizations that will have to provide an annual self-assessment and self-attestation. Most organizations will fall under what is starting to be called “2 High,” with organizations falling into the “2 High” category being required to conduct a third-party assessment every three years. The NIST SP 800-171R2 standard should be familiar to most DIBs, as this has been part of their contractual obligations for several years, and to some, may feel like a return to normal.
The third level of CMMC 2.0, titled “Expert” is the most stringent level, similar to the current level 5 of CMMC 1.0. The most notable addition is that of NIST SP 800-172 controls to the already required NIST SP 800-171 controls of level 2. Similar to the previous level, triennial third-party assessments are required.
CMMC 2.0 Timelines & Key Considerations to Keep in Mind
Despite all these proposed changes, the CMMC 2.0 is a draft standard that is not expected to be finalized until August 2022 at the earliest, and possibly as late as 2023. If and when the draft standard is approved, compliance will become law for those companies who handle CUI and/or FCI information for the U.S. government and will fall under Part 32 of the Code of Federal Regulations (C.F.R.), as well as DFARS in CFR Part 48. While CMMC 2.0 has not yet been codified, it is undeniably coming. For most organizations, NIST SP 800-171 is a current reality that many have fallen short to implement fully. Few, if any, changes associated with CMMC 2.0 are expected at this time, but making sure your company is ready should be a priority. From a cybersecurity best practices standpoint and of equal importance, be prepared to fulfill your existing NIST 800-171 contractual obligations.
Recommended Next Steps
In short, despite the proposed changes to the CMMC’s model, it’s of the utmost importance that DIB contractors maintain their trajectory toward becoming fully NIST SP 800-171 compliant. That way, once the CMMC changes are adopted, they can fulfill those requirements on day 1. These requirements cannot be achieved overnight and based on our experience, most organizations (depending on their current posture) take between 6- 24 months to get themselves compliant and ready for their C3PAO assessments. It’s critical to keep in mind that these proposed changes shouldn’t be perceived as an opportunity to delay your CMMC or NIST 800-171 implementation strategy, as once these changes are approved, you will be held accountable to those standards.