Business professionals works at office computer

After conducting an internal review, the Department of Defense (DoD) announced a major change to the Cybersecurity Maturity Model Certification (CMMC) program. According to the DoD, the updated framework, now called CMMC 2.0, will:

  1. Simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy and contracting requirements
  2. Focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs
  3. Increase DoD oversight of professional and ethical standards in the assessment ecosystem 

Organizations are now asking - what is changing with CMMC requirements and what stays the same? What key questions still need to be answered?

Much of CMMC remains the same; however, many contractors need to evaluate these five key changes:

  1. Preparation and timeline – According to current guidance from the DoD, CMMC 2.0 will require 9-24 months of rulemaking. Organizations should use this time and their resources wisely by implementing NIST 800-171 (which is already present in contracts as DFARS 252.204-7012). Implementing NIST 800-171 will improve the self-assessment score you post to the DoD’s Supplier Performance Risk System (SPRS), for which the DoD indicates there may be incentives for improved scores and/or early adoption of CMMC 2.0.
  2. Annual affirmation – CMMC 2.0 calls for an annual affirmation from a senior company official. This requirement is reminiscent of Sarbanes-Oxley (SOX) 302. Additionally, the Department of Justice (DOJ) announced an intent to hold entities or individuals accountable that knowingly misrepresent their cybersecurity practices. Organizations should begin evaluating their process for completing this affirmation, determine who will sign the affirmation and what basis is required to be comfortable signing.
  3. Plan of action and milestones (POA&Ms) and waivers – Only a small number of waivers will be granted, benefiting a limited number of contractors. POA&Ms will only apply to the minor requirements after an organization achieves a higher level of compliance,
  4. Policies and procedures – While it is true that CMMC 2.0 eliminates the process requirements, NIST 800-171 requires 49 of the 110 items to be “defined,” which is typically in the form of a policy or procedure. Further, if you make claims about your organization’s cybersecurity environment annually to the DoD, it is beneficial to have rigor and structure to ensure those statements remain accurate. 
  5. Self assessments – While organizations pursuing CMMC Level 1 will benefit from self-assessments, most contractors who have concerns about CMMC were targeting the prior Level 3 (new Level 2) and above. Originally under CMMC 2.0, contractors that handle controlled unclassified information (CUI) will require a third-party assessment or DoD-led assessment if the associated programs “involve information critical to national security.” The DoD has since announced that all Level 2 assessments will be conducted by third parties. The DoD estimates that approximately 80,000 contractors fall into this category. However, a trend appears to be forming among primes - to require all subcontractors to be certified at Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. So while the number who require third-party certification is reduced, there is still a large population that will require it.

CMMC 1.0 to CMMC 2.0 comparison

How will CMMC 2.0 impact your organization?

Review the decision tree and consult the notes below for further insight.

cmmc 2.0 decision tree

Note A – While the DoD may not require CMMC 2.0, some prime contractors (prime) are pushing their supply chain to comply. Doing so makes it easier for the prime. If all preferred providers are CMMC 2.0 Level 2 or higher, they have less to worry about when sharing CUI. This behavior can drive more organizations to require CMMC 2.0 certifications.

Note B – Similar to Note A, if primes require C3PAO assessments and not self-assessments that may drive organizations to seek certification who otherwise would not. This again would make it easier for the prime because they would not need to make the distinctions or fulfill/address requirements in contracts to understand when a self-assessment is permitted.

Note C – Waivers appear to be very rare. If you have multiple contracts or plan to have multiple contracts in the future, it is unlikely that all would be eligible for a waiver.

Note D – POA&Ms will only apply to minor items. While this might save you from a failure if you do not have one item in place, it does not mean you can be certified without addressing some of the larger, more costly aspects of NIST 800-171.

CMMC 2.0 FAQ

people raising hands for Q&A
What is the availability of getting an assessment?

In CMMC 2.0 at Level 2, to complete an independent assessment, you will need to leverage a C3PAO. This is a free-market option and, assuming availability, it should be easy to engage a C3PAO. If you require Level 3,a government-led assessment, the request process and the amount of lead time required is not yet known.

Who is eligible for a Level 2 self- assessment?

The DoD indicated that “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” How many programs do not involve information critical to national security? If that is a low percentage then it would be fewer companies that can use a self-assessment for Level 2. Who will make that determination? If the contracting officer is the one to make that call, do they error on the side of caution? Does making that call require more or less work for the contracting officer? Can the contracting officer decide that the prime is handling information critical to nation security but the subcontractor is not? How this will work is critical and not yet explained.

What are the requirements in the contract tied to the Program or data?

Under CMMC 1.0, it was not clear if the contract would say that CMMC Level X is required if you are on this program or if you are on the program and possess CUI. In the later case, it would allow a subcontractor who doesn’t obtain CUI to still perform on the contract with a lower level requirement. The DoD stated, “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” So it seems they intend to allow this, but exactly how this will occur is not yet clear. Will contractors be able to decide? Will the DoD be explicit in rulemaking or the contracts?

Where will level requirements be spelled out? In the contract, tied to the program or based on the data?

CMMC will be required when a contractor is handling CUI. However, the level should be spelled out in the contract. If a contract is not handling CUI, it will likely require Level 1. It is expected that under CMMC 2.0, the contract would say that CMMC Level X is required if you are on this program or if you are on the program and possess CUI. In the latter case, it would allow a subcontractor who doesn’t obtain CUI to still perform on the contract with a lower-level requirement. The DOD stated, “a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.” So, it seems the DOD intends to allow this, but exactly how it will occur is not yet clear. Will contractors be able to decide? Will the DOD be explicit in rulemaking or the contracts? 

If I have a third-party assessment, will I still need to self-assess?

It is not clear at this time, however, the DOD said it is considering asking for contractors to annually confirm even when they have certification. Because the CMMC certification is good for three years, it makes sense that the DOD would want to have a confirmation from the contractor that its environment is still in compliance with the requirements.

When will waivers be allowed?

The DOD said waivers will be “allowed on a very limited basis in select mission critical instances, upon senior leadership approval.” This statement reveals that it is not a frequent occurrence. Who receives the waivers – and how – is still to be determined. The DOD’s comments since CMMC 2.0 was released further confirmed waivers would be limited in nature. It also implied waivers would be sought by the DOD before the contract is executed or even the solicitation occurs.

What are the restrictions for POA&Ms?

The DOD denoted that “highest weighted requirements cannot be on POA&M list” and “DoD will establish a minimum score requirement to support certification with POA&Ms.” This means that the practices from NIST 800-171 that carry three- and five-point values in the DOD assessment methodology are likely not eligible for POA&M. Additionally, organizations would need to achieve a minimum score before becoming eligible for POA&Ms. Where that score is set is not known. The POA&Ms are also only an option for a limited time. It is sounding like the DOD is planning for that to be less than six months, which means a POA&M will not be eligible for most of the controls and, if used, is only good for a limited period.

The following topics remain unchanged in CMMC 2.0. Read below to understand the impact.

The risk remains unchanged and continues on an upward trend line, which the DoD acknowledged in their release, “The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyber attacks by adversaries and non-state actors. Dynamically enhancing DIB cybersecurity to meet these evolving threats, and safeguarding the information that supports and enables our warfighters, is a top priority for the DoD. CMMC is a key component of the DoD’s expansive DIB cybersecurity effort.”

CMMC 1.0 was introduced as a requirement prior to procurement. The DFARS 252.204-7021 clause would require a contractor to achieve certification prior to award. This aspect does not appear to be changed in CMMC 2.0. The clauses will be modified, but it is clear that the DoD will include the cybersecurity requirements in their acquisitions.

A hallmark of CMMC 1.0 is the requirement for a third party to assess the existing practices and processes in practice to help ensure the associated capabilities are in place. CMMC 2.0 still requires this verification. The DoD stated, “CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.”

CMMC has always had the intent of protecting CUI. This does not change with the adoption of CMMC 2.0. Many contractors have expressed concern over the marking of CUI. CMMC 2.0 does not address this specific issue.

CMMC 1.0 at Level 1 overlapped with FAR 52.204-21’s requirements. At Level 3, it overlapped with 110 of the 130 practices coming from NIST SP 800-171.  There were 20 additional items and processes.

CMMC 2.0 at Level 1 still overlaps with FAR 52.204-21’s requirements. At CMMC Level 2, there are now only 110 practices required and no processes. These practices still directly overlap NIST SP 800-171. It is fair to state that CMMC 2.0 Level 2 requires nothing new from DFARS 252.204-7012. This clause is where the requirement to implement NIST 800-171 first was included in contracts.

CMMC 1.0 and 2.0 do not have an effect on this contract clause. If this clause is in your contract, you are obligated to implement NIST 800-171. You are also obligated to report cybersecurity incidents. The clause also still requires a contractor to use FedRAMP-certified solutions, if the contractor intends to use an external cloud service provider (CSP) to store, process or transmit any covered defense information in performance of this contract.

CMMC 1.0 and 2.0 assessments completed by a C3PAO are good for a three-year period. Originally, the process level requirements provided some assurance that the practices would stay in place over time. Without these elements, the DoD has less assurance that the practices will remain in effect during the three-year period.

CMMC 1.0 and CMMC 2.0 both include a combination of storing self-assessment results in SPRS and third-party assessment results in eMASS. These results will only be visible to the DoD and the organization. No other entities will have access to see the company’s score and results.

The DoD’s CMMC 2.0 website indicates that “the CMMC-AB will accredit CMMC Third-Party Assessor Organizations (C3PAOs) and Instructors Certification Organization (CAICO)” and “Accredited C3PAOs will be listed on the CMMC-AB Marketplace.” This does not appear to have changed. Originally, the announcement used language like “independent assessment” and did not make reference to C3PAOs. This caused some speculation, which appears to be resolved.

One significant concern from CMMC 1.0 was the lack of clear scoping guidance. With the release of CMMC 2.0, this concern is not yet addressed. The closest thing to scoping guidance comes from NIST 800-171: “The requirements apply only to the components of nonfederal systems that process, store or transmit CUI, or that provide protection for the system components.” Essentially, anywhere CUI exists should be included in-scope for CMMC 2.0.

These clauses that require a contractor to conduct a self-assessment and post the score to the DoD’s SPRS site do not seem significantly changed. The only slight modification that might result from CMMC 2.0 is the requirement for annual assessments “accompanied by an annual affirmation from a senior company official that the company is meeting requirements.” Further, the DoD site notes that “the Department intends to require companies to register self-assessments and affirmations in the SPRS.”

One major concern and pain point of CMMC 1.0 was the lack of C3PAOs and assessors. This issue is not addressed in CMMC 2.0. The CMMC-AB indicated that C3PAOs are still required to be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Unless changes are made, the DoD will need to carefully evaluate when they include the CMMC 2.0 requirements in light of a potential shortage of C3PAOs.

There were numerous draft versions of CMMC prior to 1.0. The trend has been for the requirements to decrease over time. CMMC 0.4 had far more practices than 0. Now that we reached CMMC 2.0, Level 2 cannot remove any other items without violating 32 CFR 2002, which requires all non-federal systems that contain CUI to employ NIST 800-171. However, the DoD still notes, “As a result of the alignment of CMMC to NIST standards, the Department’s requirements will continue to evolve as changes are made to the underlying NIST SP 800-171 and NIST SP 800-172 requirements.”

The following topics change as a result of CMMC 2.0. Read below to understand the impact.

CMMC 2.0 requires that an annual affirmation is made by a senior company official. This affirmation is effectively a statement that indicates the self-assessment results reported via the DoD’s SPRS site are accurate. If the self-assessment results are inaccurate, then this appears to open both the organization as well as the individual official up for potential enforcement action. Additionally, the DOJ recently announced an intent to hold accountable entities or individuals that knowingly misrepresent their cybersecurity practices. As an organization, you should determine who will serve as the senior official making the affirmation and what process will be employed to support that affirmation. This appears similar to the SOX requirements in section 302 that require those responsible for the oversight of financial reporting to certify that controls are in place. Most companies have an annual testing process to provide assurance to the CFO and CEO prior to their signing such statements. It would be logical for something similar be instituted for CMMC 2.0.

CMMC 2.0 still requires assessments, but not all need to be completed by a C3PAO. Assessments now include government-led and self-assessments. CMMC 2.0 Level 1 requires a self-assessment and Level 3 requires a government-led assessment. CMMC 2.0 Level 2 requires a C3PAO to complete an assessment if the associated programs “involve information critical to national security.”

CMMC 1.0 had published assessment guides. At the time of CMMC 2.0’s release, the DoD indicated that assessment guides will be forthcoming. Presumably, since the CMMC 2.0 Level 2 is based on NIST 800-171, the DoD will employ NIST 800-171A or something similarly aligned as the assessment guide.

CMMC 1.0 did not allow the concept of waivers. 2.0 introduces the concept of waivers. It is important to note that the waivers would apply to the whole of the CMMC requirements and not a practice. The waivers are said to be “allowed on a very limited basis in select mission critical instances, upon senior leadership approval.” For most contractors, it appears this will not directly apply to them.

CMMC 1.0 famously did not allow for POA&Ms. This meant all practices had to be in place without issue for an organization to achieve their certification. The DoD notes that “highest weighted requirements cannot be on POA&M list” and that the “DoD will establish a minimum score requirement to support certification with POA&Ms.”

The DoD indicated they would need to undergo a period of rulemaking to bring about the aspects of CMMC 2.0. It is not clear right now if that will simply be a change to the currently interim final DFARS 252.204-7021 or if there will be new clauses created. It is imperative for contractors to pay attention and/or provide feedback during the next 9-24 months rulemaking period.

The DoD indicated that the CMMC 2.0 requirements “will not be a contractual requirement until the DoD completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed. ”This changes the prior understanding that the DoD was allowed to include CMMC as a contractual requirement in 2021. Additionally, this means the pilot contracts that the DoD indicated would include CMMC are not going to include that requirement at this time.

CMMC 1.0 included the .999 and .998 processes that were very prescriptive about the content and structure of policies. These aspects went away with CMMC 2.0. However, 49 of the 110 NIST 800-171 requirements include assessment objectives that require you to define something. Most likely this is a definition in a policy or procedure. Further, the CMMC 2.0 requirements include a senior official making an affirmation, who likely is more comfortable making such affirmation if the company has governance (i.e., policies and procedures) that require performance of the NIST 800-171 practices.

Learn more about the 49 practices with the requirement to define a policy or procedure.

The 20 items that CMMC 1.0 Level 3 required above and beyond NIST 800-171 are known as the “Delta 20.” CMMC 2.0 eliminates the need to assess these items. Six of the 20 items are not still required directly or by inference. However, in our opinion, these practices are still equally needed for the security of your environment.

Are the Delta 20 dead? Learn more.

Baker Tilly is a candidate CMMC Third-Party Assessor Organization (C3PAO), ready to help you achieve CMMC readiness or official assessment objectives.

Matt Gilbert
Principal
Cloud data warehouse
Next up

Building a data warehouse in the cloud using Snowflake