DoD Makes U-Turn: Changes Strategic Direction for CMMC Program

After completing an internal program assessment, the Department of Defense (“DoD”) announced a stark change in the strategic direction of its Cybersecurity Maturity Model Certification (“CMMC”) program. DoD initially released CMMC 1.0 in January 2020, intending for it to roll out from 2021-2025 and, by 2026, for all defense contracts to incorporate the robust requirements of CMMC 1.0. However, now implementation of CMMC is halted, and DoD is working to finalize an enhanced CMMC program dubbed CMMC 2.0. DoD has emphasized that the CMMC 2.0 will maintain the program’s original goal of safeguarding sensitive information, however, it will also minimize barriers to compliance with DoD requirements, simplify the CMMC standard, reduce assessment costs, create a more collaborative culture of cybersecurity, and provide for more flexible implementation.

Application and Timing

Like CMMC 1.0, the revamped requirements of CMMC 2.0 will apply to both prime contractors and subcontractors. The changes discussed below will be implemented through the formal rulemaking process, which can last anywhere from 9-24 months. As a result, the earliest that DoD expects to implement CMMC 2.0 is August 2022. Until the rulemaking process is complete, DoD is suspending its CMMC piloting efforts and will not include CMMC requirements in any contracts. Nevertheless, DOD has announced that it may potentially offer incentives to contractors who voluntarily obtain a CMMC certification while the rulemaking process is in progress. DoD also encourages contractors to continue updating and improving their cybersecurity practices and systems in the meantime.

Key Changes

Reduction of Certification Levels

Unlike the previous framework (discussed in our prior alert here), CMMC 2.0 reduces the total number of certification levels from five to three. Notably, CMMC 2.0 eliminates Level 2 and Level 4, and renames the surviving levels as follows: (1) Level 1, Foundational; (2) Level 2, Advanced; and (3) Level 3, Expert. The cybersecurity standards in CMMC 2.0 are derived from the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and NIST SP 800-172, which should permit a smoother transition for contractors, many of whom may already comply with these standards.

Assessments

Additionally, CMMC 2.0 removes the requirement that all certification assessments be performed by third-party organizations, known as CMMC Third-Party Assessment Organizations (“C3PAOs”). Instead, the updated framework allows for annual self-assessment for all contractors at Level 1 and contractors Level 2, provided the contractor is not handling “critical national security information.” Otherwise, CMMC 2.0 requires an C3PAO assessment every three years for contractors at Level 2 and a government (rather than C3PAO) assessment every three years for contractors at Level 3.

POAMs

Further, whereas CMMC 1.0 required contractors to achieve full certification to even be eligible to submit a proposal for a defense contract, CMMC 2.0 allows contractors that are not yet in full compliance with applicable cybersecurity requirements to receive contract awards if they implement a Plan of Action & Milestones (“POAM”). POAMs must provide steps for achieving compliance by a certain deadline specified by DoD. DoD is currently considering a 180-day timeline from contract award for contractors to satisfy the measures set forth in their plans.

Waivers

Lastly, CMMC 2.0 allows limited waivers of CMMC requirements for select mission critical acquisitions. Although details have not been finalized, DoD has announced that these waivers will be temporary and must be approved by DoD senior leadership.

As the CMMC rulemaking process continues to unfold, government contractors should continue to monitor and enhance their cybersecurity posture in preparation of CMMC 2.0. If you need any assistance with preparing for CMMC compliance or determining the most effective path forward for developing and maintaining cybersecurity processes and equipped personnel, please contact one of the authors or another member of Lewis Rice’s Cybersecurity & Data Privacy Group.