DoD’s new CMMC program builds on previous framework, works towards improving DIB cybersecurity
The Department of Defense (DoD) released on Wednesday updated information on the agency’s way forward for the approved CMMC program changes, designated as ‘CMMC 2.0,’ which builds upon the initial CMMC framework to dynamically enhance defense industrial base (DIB) cybersecurity against evolving threats.
The Cybersecurity Maturity Model Certification (CMMC) framework has been designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that federal contract information (FCI) and controlled unclassified information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats (APTs).
Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of the DoD contract award.
The Office of the Under Secretary of Defense for Acquisition and Sustainment in a Proposed Rule said that changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. The DoD will pursue rulemaking in both Title 32 of the Code of Federal Regulations (CFR), and title 48 CFR to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.
Publication of title 32 and title 48 CFR rules will implement DoD’s requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0, according to the proposed rule. CMMC 1.0 was designed to protect FCI and CUI shared with and handled by DoD contractors and subcontractors on non-federal contractor information systems. CMMC 1.0 also involved five progressively advanced levels of cybersecurity standards and required that DIB contractors undergo a certification process to demonstrate compliance with the CMMC cybersecurity standards at a given level.
The modifications laid down in the proposed rulemaking include eliminating levels 2 and 4, and renaming the remaining three levels in the CMMC 2.0 program. Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1, Level 2 (Advanced) will be similar to CMMC 1.0 Level 3, and Level 3 (Expert) will be similar to CMMC 1.0 Level 5.
The changes also include removing CMMC-unique practices and all maturity processes from all levels. For CMMC Level 1 (Foundational), it will allow annual self-assessments with an annual affirmation by DIB company leadership, and bifurcating CMMC Level 2 (Advanced) assessment requirements. It will also prioritize acquisitions involving CUI, which will require an independent third-party assessment.
Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation for CMMC Level 3 (Expert) requiring Government-led assessments, developing a time-bound and enforceable Plan of Action and Milestone process, and developing a selective, time-bound waiver process, if needed and approved. The title 32 CFR rulemaking for CMMC 2.0 will be followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR. DoD will work through the rulemaking processes as expeditiously as possible.
The Department of Homeland Security’s CISO Ken Bible said on Wednesday that he is concerned about the introduction of self-attestation under CMMC 2.0, especially how to ensure ‘trust’ and make sure contractors are ‘still meeting the standard,’ according to a report from Inside Cybersecurity.
The industry needs to be “focused on cybersecurity, building the reps and sets of a good cybersecurity culture in advance of an award and being able to show the mechanisms are in place to drive cybersecurity within a company,” he said, acknowledging this is “something we have paid lip service to in the past.”
Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the Department will suspend the CMMC Piloting efforts and will not approve the inclusion of a CMMC requirement in DoD solicitations, the proposed rule added.
The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.
Earlier this month, the DoD announced its CMMC 2.0 program that will simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy, and contract requirements. The security agency said at the time that the new program would focus on advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs and increase DoD’s professional and ethical standards oversight on the assessment ecosystem.
As the FAR CUI rule comes online and agencies begin to wonder about verification and enforcement of NIST SP 800-171 implementation, “you will see the same systemic problems followed by the same paralyzing cognitive dissonance show up again and again,” compliance expert Jacob Horne pointed out in a LinkedIn post. “CUI has been allowed to flow unchecked into supply chains that exist below the cybersecurity poverty line. Agencies can’t continue sit around and do nothing and the supply chains can’t lift themselves up by their cyber bootstraps,” he added.
A Federal Acquisition Regulation (FAR) rule is necessary to ensure uniform implementation of the requirements of the CUI program in contracts across the government, thereby avoiding potentially inconsistent agency-level action.
Someone needs to step up and make some hard decisions instead of continuing to fiddle while everything burns, according to Horne. “Everyone needs to snap out of it and realize that none of these problems originated with CMMC 1.0 and they certainly didn’t go away with CMMC 2.0,” he added.