The DoD’s major change to the Cybersecurity Maturity Model Certification (CMMC) program is having an impact on government contractors.
by Matt Gilbert, CISA, CRISC, Principal at Baker Tilly
After conducting an internal review, the Department of Defense (DoD) recently announced a major change to the Cybersecurity Maturity Model Certification (CMMC) program.
According to the DoD, the updated framework, now called CMMC 2.0, will:
- Simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy and contracting requirements
- Focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs
- Increase DoD oversight of professional and ethical standards in the assessment ecosystem
Many organizations are now wondering what is changing with CMMC requirements and what stays the same? What key questions still need to be answered?
Five Key Changes in CMMC 2.0
Much of CMMC remains the same; however, many government contractors need to evaluate and understand these five key changes:
- Preparation and timeline – According to current guidance from the DoD, CMMC 2.0 will require 9-24 months of rulemaking. Organizations should use this time and their resources wisely by implementing NIST 800-171 (which is already present in contracts as DFARS 252.204-7012). Implementing NIST 800-171 will improve the self-assessment score you post to the DoD’s Supplier Performance Risk System (SPRS), for which the DoD indicates there may be incentives for improved scores and/or early adoption of CMMC 2.0.
- Annual affirmation – CMMC 2.0 calls for an annual affirmation from a senior company official at least at level 1 but likely to be required for other levels in the off-assessment years. This requirement is reminiscent of Sarbanes-Oxley (SOX) 302. Additionally, the Department of Justice (DOJ) announced an intent to hold entities or individuals accountable that knowingly misrepresent their cybersecurity practices. Organizations should begin evaluating their process for completing this affirmation, determine who will sign the affirmation and what basis is required to be comfortable signing.
- Plan of action and milestones (POA&Ms) and waivers – Only a small number of waivers will be granted, benefiting a limited number of contractors. POA&Ms will only apply to the lower risk requirements after an organization achieves a higher level of compliance.
- Policies and procedures – While it is true that CMMC 2.0 eliminates the process requirements, NIST 800-171 requires 49 of the 110 items to be “defined,” which is typically in the form of a policy or procedure. Further, if you make claims about your organization’s cybersecurity environment annually to the DoD, it is beneficial to have rigor and structure to ensure those statements remain accurate.
- Self assessments – While organizations pursuing CMMC Level 1 will benefit from self-assessments, most contractors who have concerns about CMMC were targeting the prior Level 3 (new Level 2) and above. In CMMC 2.0, most contractors that handle controlled unclassified information (CUI) will require a third-party assessment or DoD-led assessment if the associated programs “involve information critical to national security.” The DoD has indicated it will err on the side of caution, meaning many contractors will have at least one such contract and will not be eligible for self-assessment.
How will CMMC 2.0 impact your organization?
The decision tree and notes below can provide some further insight into how CMMC 2.0 may impact your organization.
Note A – While the DoD may not require CMMC 2.0, some prime contractors (prime) are pushing their supply chain to comply. Doing so makes it easier for the prime. If all preferred providers are CMMC 2.0 Level 2 or higher, they have less to worry about when sharing CUI. This behavior can drive more organizations to require CMMC 2.0 certifications.
Note B – Similar to Note A, if primes require Certified Third-Party Assessor Organization (C3PAO) assessments and not self-assessments that may drive organizations to seek certification who otherwise would not. This again would make it easier for the prime because they would not need to make the distinctions or fulfill/address requirements in contracts to understand when a self-assessment is permitted.
Note C – Waivers appear to be very rare. If you have multiple contracts or plan to have multiple contracts in the future, it is unlikely that all would be eligible for a waiver.
Note D – POA&Ms will only apply to minor items. While this might save you from a failure if you do not have one item in place, it does not mean you can be certified without addressing some of the larger, more costly aspects of NIST 800-171.
While the changes to CMMC 2.0 seem like a major reduction in effort at first, further examination shows that it does not change much of the original burden for most contractors. A small percentage will avoid C3PAO certification or otherwise obtain waivers, however the vast majority of organizations will still need to properly prepare for CMMC to win future contracts with the DoD.
Matt Gilbert is a principal in Baker Tilly’s risk advisory practice and leads the Cybersecurity Maturity Model Certification (CMMC) and Government Contractor IT Risk suite of services.