Pentagon announces version 2.0 of its controversial CMMC program

Last week, the Pentagon announced version 2.0 of its controversial and complex Cybersecurity Maturity Model Certification (CMMC). The CMMC is a training, certification and third-party assessment framework for defense industrial base (DIB) contractors. The goal of the CMMC is to provide cybersecurity requirements that DIB contractors must implement.

The Department of Defense (DoD) Introduced CMMC three years ago and adopted it in an interim format in September 2020. It was designed to replace the previous cybersecurity self-attestation of DIB contractors with third-party verification of compliance. An independent, tax-exempt organization, the CMMC Accreditation Body (CMMC-AB), was picked by the Pentagon to conduct the third-party verifications.

Number of security maturity levels cut from five to three

The first version of the CMMC spells out basic cybersecurity hygiene processes and practices in a complicated model framework of 17 domains mapped across five maturity levels: basic, intermediate, good, proactive, and advanced. CMCC 2.0 seeks to cut the “red tape for small and medium-sized businesses” by whittling down the need for accreditation and reducing the number of levels to three: Foundational, Advanced and Expert.

To achieve the foundational level, DoD outlines 17 basic practices contractors must meet and requires only self-attestation as proof of compliance. The Advanced level increases the required practices to 110, aligning with the National Institute for Standards and Technology (NIST) special publication (SP) 800-171.

The Advanced level requires triannual third-party assessments for critical national security information and annual self-attestation for select programs. The new top-level, Expert, requires contractors to implement more than 110 practices aligned with 800-171 and requires triannual government-led assessments.

CMMC 2.0 might not emerge for two years

DoD will implement CMMC 2.0 in two rulemaking processes with public comment periods. Until those rulemakings are complete, which could take up to 24 months, DoD will suspend current pilot programs of the CMMC program that were launched in December 2020 and stop the inclusion of CMMC requirements in any DoD solicitations. In addition, CMMC 2.0 will not be a contractual requirement until the DoD completes rulemaking. In the meantime, the DoD is exploring the idea of providing incentives for contractors who voluntarily obtain a CMMC certification in the intervening period.

DOD said that contractors and subcontractors who are handling the same type of federal contractor information (FCI) and controlled unclassified information (CUI) must still meet the same requirements. However, in cases where the prime contractor flows down to their subcontractors only certain kinds of information, a lower CMMC level may apply to the subcontractors.

DARS requirements are still in place

All contractors are still obligated to meet the cybersecurity requirements of several Defense Acquisition Regulation Supplements (DARS), including 252.204-7012, 252.227-7017, 252.204-7019, and 252.204-7020. The DoD also points contractors to its Project Spectrum to “help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.”

Matthew Travis, CEO of the CMMC-AB, welcomes the change, saying in a statement, “The DoD approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish: clarifying the standard, reducing the cost burden, improving scalability, and instilling greater trust and confidence in the CMMC ecosystem.”

However, Travis points to what he thinks are challenges of this new CMMC iteration, “such as curricula adjustments our training providers now need to make and the time requirement for yet another round of federal rulemaking.” To address the challenges, the CMMC-AB will hold a special town hall to discuss the changes in CMMC 2.0

CMMC has been in turmoil from the outset

The CMMC has been in turmoil since its outset. Following concerns that the CMMC-AB, which has an exclusive memorandum of understanding (MOU) with the Pentagon, was running a partnership program that many considered to be a pay-for-play scheme. Ty Schieber, the chairman of the CMMC-AB, and Mark Berman, the chairman of the communications committee, left the board of the organization unexpectedly. Other board members fled the organization, too, including treasurer Jim Goepel, the CEO and general counsel for Fathom Cyber.

Following this controversy, and on the heels of complaints that the CMMC is too complicated and costly for small organizations to adopt, the DoD conducted an internal assessment of the CMMC program’s implementation last March, soliciting more than 850 public comments. “This review resulted in ‘CMMC 2.0,’ which updates the program structure and the requirements to streamline and improve implementation of the CMMC program,” according to a now-withdrawn DoD Federal Register notice announcing the skeletal outlines of CMMC 2.0. (Neither the DoD nor the Office of the Federal Register responded to questions about why the Pentagon withdrew the notice. Moreover, the Office of the Federal Register has yet to post the DoD’s Federal Register withdrawal letter, which might shed some light on the notice’s withdrawal.)

It doesn’t help matters that the Pentagon official overseeing the CMMC, former CISO for Acquisition and Sustainment Katie Arrington, was placed on leave after the National Security Agency (NSA) reported an unauthorized disclosure of classified information from a military intelligence agency. Arrington is now suing the DoD to resolve her personnel case. She claims her current non-duty paid leave “was designed to interfere with the running of CMMC, which the NSA did not support.”

Only a minority of contractors might require third-party verification

James Goepel, former CMMC-AB board member and now the co-founder of the CMMC Information Institute, sent a letter on November 5 to President Biden blasting the CMMC 2.0. He says it contradicts the goals of better cybersecurity outlined in the White House’s May cybersecurity executive order and harms the nation.

In particular, Goepel and fellow former CMMC-AB board member Mark Berman, who is also a co-founder of the CMMC Information Institute, take aim at the reintroduction of self-attestations in CMMC 2.0. “CMMC 2.0 creates slightly more jeopardy for contractors since the head of the organization must sign an attestation of the contractors’ compliance with the regulations. However, contractors are also aware that the Department of Justice (DoJ) can only pursue a handful of False Claims Act cases each year,” Goepel says in the letter.

Goepel tells CSO he estimates that 175,000 of the 220,000 or so DIB contractors would be able to self-attest at the first or second levels under CMMC 2.0, leaving only around 45,000 contractors that would need third-party verification. “That’s a drop in the bucket compared to the overall DOD supply chain,” he says.

Moreover, by removing the maturity model element from the CMMC, the DoD has produced a technology-centric model that skips essential policies and procedures, Goepel says. “You look at somebody like Equifax, or even SolarWinds. They had good technologies in place. Where they failed is that they didn’t have proper policies and procedures and plans written around those technologies to ensure that they’re used adequately and properly.”