iQuasar Cyber

cmmc 2.0

After almost a year of speculation, the Under Secretary of Defense (OUSD A&S) announced a new strategic direction for the Cybersecurity Maturity Model Certification (CMMC) Framework, and refined the CMMC 1.0 to CMMC 2.0.

The new version of the CMMC model impacts multiple aspects of CMMC compliance, including changes to mandatory assessment, levels, practices of the model, implementation, and certification. The new model is believed to be introduced due to feedback from the industry and concerns from some small and medium-sized businesses. This blog reviews a summary of the changes and highlights, and their impact on CMMC compliance in general.

Summary of changes:

  1. Self-assessment: Will meet the requirements for CMMC 2.0 Level 1 without the need for third-party certification. However, with sign-off by a member of the executive management on the self-assessment security controls, if the company doesn’t deal with Controlled Unclassified Information (CUI)
  2. Reduction in levels: Reduced from 5 maturity levels to 3 maturity levels in CMMC 2.0.
  3. Waiver introduction: Waivers were not allowed in the prior model, but are now available in CMMC 2.0 for the full model, not just the cybersecurity practices. These waivers are granted for a limited time in mission-critical situations with approval from DoD senior leadership.
    NIST Alignment: The new model will target NIST 800-171 compliance
  4. POA&M: Inclusion of Plan of Action and Milestones or POA&Ms. In the previous model, POA&Ms were excluded, while in CMMC 2.0, they have been included, albeit on a limited basis.

Summary of differences in CMMC models:

CMMC 2.0 is consolidated into three levels instead of five in the previous model, as illustrated in the below table:

  • Level 1 17 Annual Self-Assessment
  • Level 2 110 Third-Party for critical national security information (NIST SP 800-171)
  • Level 3 110 Plus Government led (NIST SP 800-172)
  • Level 1 17 Third Party
  • Level 2 72 None
  • Level 3 130 Third Party
  • Level 4 156 None
  • Level 5 171 Third Party

CMMC 2.0 Model Highlights:

Once DoD completes all the formalities, the new CMMC 2.0 model will become a contract requirement. The changes reflected in CMMC 2.0 will be implemented through the rule-making process; the requirements for rule-making are expected to be completed in the next 9 to 24 months. DoD intends to pursue rule-making both in Part 32 of the Code of Federal Regulations (C.F.R.) and in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. While these rule-making efforts are ongoing, the Department intends to suspend the current CMMC piloting efforts and will not approve the inclusion of a CMMC requirement in any DoD solicitation. Based on the information that DoD vendors handle, the impact varies in the new model. The DoD vendors may fall into any one of the three levels, depending on the vendor’s service. Below is a summary of the CMMC 2.0 model maturity levels and the corresponding vendor data as per the initial DIB analysis:

  1. Level 1: The 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171 aimed for basic cyber hygiene, will be included in CMMC 2.0 Level 1. This only applies to organizations that deal with Federal Contracting Information (FCI). This basic level is seen by the government as an opportunity to involve contractors in creating and upgrading their cybersecurity posture. With self-assessment, CMMC 2.0 Level 1 will be achieved. This category includes around 140,000 contractors.
  2. Level 2: The 110 controls of NIST 800-171 are included in CMMC 2.0 Level 2. The criticality of the information possessed by the organization will determine how Level 2 is divided. A third-party evaluation will be required every three years for businesses that are found to have CUI classified as Critical National Security Information. An annual self-assessment against these controls will be enough for some firms. This category includes around 80,000 contractors.
  3. Level 3: Although CMMC 2.0 Level 3 is still in the works, the official website contains more than 110 practices based on NIST 800-172. The most crucial thing to remember is that the government, not C3PAOs, will do level 3 assessments. These contractors are thought to be in charge of the most sensitive and essential DoD information. This category includes approximately 500 contractors.

Impact of CMMC 2.0:

The impact of CMMC 2.0 can be substantial on DoD contractors and industry in general, following cybersecurity controls. The following section illustrates a summary of some of the impacts that can be expected as a result of the new model:

  1. Self-Assessment for level 1 and possibly level 2 contractors: Those contractors who do not handle critical CUI are now required only to undergo a self-assessment annually as compared to a third-party assessment, which was valid for three years in the previous model. However, this self-assessment report needs to be signed by the Executive Management annually. Although signing off on the self-assessment may seem to be an easy task on the surface, the liability for a breach due to poor controls will still be applicable.
  2. Triennial assessment by internal DoD division: Level 3 contractors and subcontractors will be audited by an internal DoD division. This is a major change from the previous model, as DoD will directly get involved in auditing such clients.
  3. CMMC 2.0 accommodates waivers, which the previous model didn’t. However, the waivers issued are at the discretion of the DoD and are provided for a limited time period only. It should be assumed that DoD will be very selective in granting these waivers. The great news is that the waiver is not for a specific control but can be for the entire mode, supported by documentation, along with reasoning for risk mitigation.
  4. There was no requirement for a Plan of Action and Milestones (POA&M) in the previous CMMC model for any of the practices. A critical shift from the previous model is the introduction of POA&M. Even though on a limited basis, the POA&M introduction seems to be more of a strategic change in the new model as it may be enhanced further based on the learning of DoD. The Department will provide a criterion for the POA&Ms.
  5. CMMC-AB will continue to function as the accreditation body for C3PAOs, CMMC Assessors, and CMMC Assessor Instructor Certification Organization. However, DoD will review conflicts of interest for CMMC-AB.

CMMC 2.0 Final Thoughts

Cybersecurity will not go away as a need, and it looks like CMMC 2.0 is intended to not just simplify but also accelerate compliance. There are a few more things to think about as you continue to construct your security operations.

  1. Remember that DFARS still applies to the whole defense industrial base, and you already have contractual obligations to comply with NIST 800-171 and DFARS 7012.
  2. The Department of Justice’s new Cyber-Fraud effort, unveiled on October 6th, gives the DOJ the authority and motivation to pursue false claims act charges against federal contractors who fail to meet their contractual cybersecurity requirements.
  3. Relax, but don’t become complacent. There’s still time to get your house in order, thanks to the new clarity (and confusion) surrounding CMMC 2.0 timetables. The requirement under DFARS 7021 to submit and maintain a NIST 800-171 self-assessment in the DOD’s Supplier Performance Risk System (SPRS) remains in effect.
 

If you have already created security plans, made tactical and strategic plans, documented controls for people, process, and technology, have risk mitigation strategies in place, computed your risk ratings, and submitted your Supplier Performance Risk System (SPRS) score, you are ready to take on CMMC 2.0 in a short period. Most likely, you detected security weaknesses and will need to adopt security controls to mitigate risk. Mitigating cyber risk is a never-ending process, and as a result, the actions are continually in motion. During the rule-making process, the Department of Defense urges contractors to continue to improve their cybersecurity posture and is looking into ways to reward contractors who voluntarily earn CMMC certification during that time. So, with the arrival of CMMC 2.0, don’t lose momentum in preparing for compliance with the existing CMMC model.

Continue to plan for CMMC 2.0 compliance using CMMC 1.0 as a starting point. Defense contractors appear to benefit by lowering maturity levels, eliminating third-party assessments, and introducing waivers. However, as with CMMC 1.0, compliance with CMMC 2.0 means that basic or advanced cyber hygiene and security procedures must still be installed, maintained, and documented. The method of implementation may have changed, but the idea of reducing cyber risk has not. If your organization fails to comply with CMMC 2.0, the chances of losing a DoD contract are substantial. DoD has adopted the position of making compliance simple for select firms without sacrificing cybersecurity safeguards. If a defense contractor wants to stay relevant, it must be clear in its strategy that cybersecurity is at the top of the priority list.

iQuasar Cyber, Inc. is a Registered Provider Organization (RPO) and has a team of experienced cybersecurity consultants and assessment experts who conduct various cybersecurity assessments at a high quality and with professionalism. iQuasar Cyber’s cybersecurity team has conducted different types of compliance and provided guidance in combating cybersecurity risks to its clients. Some of the compliance assessment work provided by the iQuasar Cyber team includes ISO 9001:2015, ISO 27001, FFIEC, HIPAA, NIST 800-53, NIST 800-63, CCPA, GDPR, etc.