Department of Defense (DoD) contractors struggling to comply with upcoming cybersecurity regulations under the Cybersecurity Maturity Model Certification (CMMC) can breathe a sigh of relief—the DoD has announced its intent to release CMMC 2.0, with promises to streamline the certification process and ease security regulations for contractors and sub-contractors handling low-priority information.
Intended to promote compliance with DoD cybersecurity procedures and give teeth to enforcement, the CMMC program was first announced in 2020 to regulate the control of unclassified information (CUI) and high-value assets (HVAs) by external contractors.
But the original version of CMMC called for all DoD contractors and subcontractors to undertake mandatory third-party assessments of their cybersecurity procedures, which would have greatly raised the costs of compliance. The independent certification requirement would have applied to all external firms across the board, regardless of their role or the sensitivity of information handled.
The subject of much criticism, this stipulation has been downgraded under CMMC 2.0 to only apply to contractors handling the most sensitive information.
It’s hoped that the realignment of cybersecurity standards in line with the sensitivity of the data that each contractor handles will cut unnecessary red tape and hasten the compliance period to ensure protection against looming cyberattacks.
Its removal is undoubtedly good news for many DoD contractors and a cost-effective move for the federal government—a wider range of firms can now continue to bid competitively on contracts, ensuring high levels of competition.
Why the change?
Following a six-month internal review, CMMC 1.0 was determined to be impractical to implement. This was largely attributed to the universal third-party assessment requirement, which would have created a backlog and long wait times at assessment agencies inundated with requests, greatly extending the time needed to implement the new standard.
Critics also complained the original version of CMMC priced out smaller firms from bidding on contracts, as the arduous expectations were too expensive and burdensome to adhere to without excess capital.
The revamp promises a more flexible and efficient system for contractors to fulfill the Department’s cybersecurity expectations, showing a willingness on its part to be responsive to widespread concerns and cooperate with external firms.
It’s also hoped that CMMC 2.0 will help to build a culture of trust between the Department and its contractors, rectifying relationships with those who felt unfairly targeted after the release of the initial standards.
The changes are expected to be ratified within the next 9 to 24 months; in the meantime, the DoD has scrapped previous CMMC piloting efforts but encourages contractors to enhance their cybersecurity posture in the interim period.
What’s different under CMMC 2.0?
CMMC 2.0 will replace the original version’s five tier grading system, favoring a more straightforward approach to categorizing the type of information being handled. This will be condensed into three tiers: foundational, advanced, and expert.
The foundational level calls for contractors to perform independent self-assessments of their security procedures and implement fifteen “basic” controls of federal contract information, which is information not intended for public release that is provided by or generated for the Government under a contract. This level is applied to contractors whose systems store, process or transmit federal contract information but do not handle controlled unclassified information—the contractor is required to apply basic safeguarding requirements to protect information systems, such as limiting system access to authorized users and performing real-time scans of downloaded files from external sources.
The advanced level bifurcates the handling of CUI into “prioritized acquisitions” and “non-prioritized acquisitions,” the former being considered sensitive information. Prioritized acquisitions will require a third-party assessment, whereas nonprioritized information is only subject to self-assessment. For instance, contractors handling intel related to weapons systems will be classified as prioritized, whereas military uniforms would fall into the latter category.
The most rigorous level, expert, applies to any contactor handling high-value assets. This will require government-led assessments of a contractor’s cybersecurity procedures every three years. Contractors will also be subject to compliance with over 110 cybersecurity controls as laid out in NIST’s SP 800-172.
Of additional note, CMMC 2.0 also allows for the use of plan of action and milestone (PoAM) strategies; non-complying firms can set out a plan to comply with cybersecurity expectations in the future and continue to bid on contracts whose requirements they currently do not meet.
Are the new regulations comprehensive enough?
The DoD originally announced CMMC following the fallout from the SolarWinds hack, which sparked universal calls for more robust cybersecurity measures. The hack, suspected to be perpetuated by a group backed by the Russian government, led to data breaches at all levels of the federal government, including within the Department of Homeland Security’s own system.
Rightfully so, the DoD acted swiftly in response but may have been overbearing with their original CMMC proposal, relative to the risk posed by contractors that don’t handle sensitive information. By setting burdensome requirements, especially among smaller contractors, they would have undoubtedly faced higher prices, as contractors would have been forced to pass this cost on.
With CMMC 2.0, the DoD is trying to strike the right balance between national security interests and the functioning of a healthy contractor market.
By treating contractors handling office supplies differently than those supervising weapon supplies, the DoD is recognizing the nuances of cybersecurity protocols and forging a carefully considered path that other government agencies can follow.