The basic premise of Cybersecurity Maturity Model Certification is that by 2025 all contractors and subcontractors in DoD’s supply chain, with the exception of commercial-off-the-shelf product providers, would have to obtain a third-party certification of their cybersecurity proficiency before performing an awarded contract. From the time of the rollout, a lot of significant work has been accomplished by DoD and its industry partners: a detailed cybersecurity hygiene model was rolled out, the accreditation body was established, training was created and, seven contracts were identified as the first DoD contracts that would require Cybersecurity Maturity Model Certification.
The establishment of CMMC was for good reason; Cybersecurity threats are increasing and growing more sophisticated and DoD has compelling evidence that contractor compliance with existing cybersecurity self-certifications is deficient. The specter of CMMC as a future requirement in all DoD contracts, coupled with near-term requirements for Supplier Performance Risk System score reporting, has grabbed the attention of many Defense industrial base members. Small business contractors who encounter CMMC before their competitors, by virtue of a new contract opportunity, would be at a competitive disadvantage. They would have to account for the cost of a CMMC certification in their general and administrative or overhead cost pools where their competitors will not.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
KEY FEATURES OF CMMC 2.0
RULEMAKING AND TIMELINE FOR CMMC 2.0
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve the inclusion of a CMMC requirement in any DoD solicitation.
The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. Additional information will be provided as it becomes available.
DoD should clarify how other certification requirements, such as the Federal Risk and Authorization Management Program, would build into CMMC, so contractors do not have to prove out aspects of a system twice. Similarly, DoD should explore a re-use protocol so common shared services that can demonstrate compliance with CMMC do not need to be re-assessed for every contractor that consumes those services.
Inheritance, re-use, and reciprocity are key elements of allowing CMMC to scale to the entire DIB in a reasonable time at a reasonable cost. For example, FedRAMP provides clear guidance on inheritance from previously authorized cloud providers as well as re-use between agencies which could be used as a model for similar concepts within the CMMC framework.
What we have seen validates the basic premise behind the necessity of CMMC: Implementation of current Defense Federal Acquisition Regulation Supplement cybersecurity requirements, such as DFARS 252.204-7012, which requires compliance with NIST Special Publication 800-171
If you have questions regarding CMMC 2.0 and whether or not it applies to you, Winsor Consulting has two Registered Practitioners that know the ins and outs of CMMC and would be glad to help you along your compliance journey.