CMMC 2.0 Changes and What They Mean to Your Organization’s Compliance Strategy
The announcement of CMMC 2.0 has garnered a lot of attention throughout the Defense Industrial Base (DIB). With that attention comes the anxiety of change and uncertainty, especially for both the DIB and their consultants who have already made considerable progress toward accomplishing their CMMC objectives. Although these changes seem daunting, it’s important to consider that most of these changes are simply a refinement of the existing CMMC requirements, rather than a redefinition of the standards all together. Most, if not all, of the reported changes are controls and practices that an organization following CMMC 1.0 has currently implemented or is currently working towards completing and there are a few other changes that organizations should be aware of, beyond the proposed realignment of the levels. Despite the waves that the CMMC 2.0 has caused, it should also be noted that the 2.0 standard has not been finalized and is subject to change before becoming part of law.
So, what are the changes to the CMMC 2.0 that organizations should be keeping in mind through this evaluation period? In short, not as much as you would think, as many of the requirements and their implementation timelines will remain the same. As with CMMC version 1.0, the CMMC 2.0 requirements will apply to all primes and subcontractors within the DIB, but what will change is how the requirements will be structured. Rather than the original CMMC’s five maturity levels, CMMC 2.0 will have 3 maturity levels based on the covered information within the system. Although it was originally intended that businesses would progress to their obligated level starting with level 1, progressing through each level up to their required level (usually 3 or 5), CMMC 2.0, does away with this progression, specifying an organization’s obligated level based (likely CMMC v.2, levels 1 or 2) on the CUI or FCI contained within the system. An overview of each level will be provided later in this article.
AAccording to the DoD, the overall changes and objectives of the CMMC 2.0 are meant to help streamline and simplify the compliance process for organizations although they should probably be considered more as a refinement of the existing CMMC requirements, rather than a redefinition of the framework’s standards all together. However, a significant change worth noting within CMMC 2.0, is the ability to leverage POAMS which were previously only allowed under NIST SP 800-171. While permitted for limited cases, this is a huge change to any organization’s CMMC compliance strategy that will hopefully lessen the impact of the implementation costs and ultimately help encourage DIBs to comply to the full breadth of the CMMC 2.0’s requirements. However, despite this concession and unlike the NIST SP 800-171 POAMS, there will be stringent timelines to accomplish the gaps to an organization’s compliance strategy rather than how they’re often used today as a means to indefinitely postpone their implementation.
Another significant change is the addition of self-attestation at the lower levels. Although self-attestation seems like a great opportunity to minimize 3rd party assessment costs, there are a number of concerns and pitfalls that organizations should keep in mind as part of this new provision. Self-attestation requires someone at the business to perform a NIST SP 800-171 self-assessment (at level 2), providing a statement to the government that they are meeting all of the controls of NIST SP 800-171. Although this is seemingly straightforward, this new modification presents a considerable risk in the form of the False Claims Act (FCA) and holds any organization financially- and criminally- liable if it’s discovered that they are not fully compliant through an intentional false statement or inadvertent act that renders them non-compliant. In short, the DoD is making it abundantly clear, that ignorance is not an excuse when it comes to attesting to an organization’s compliance with NIST SP 800-171 and any breaches that can be perceived as deceptive that conflict with the self-assessment, could present a multitude of liabilities to the organization and the leadership staff that sign-off on these assessment attestations. (Ethically, this author must discourage self-attestation by organizations. The financial risk of self-attestation far outweighs the potential of savings forgoing the cost of an independent 3rd party assessor or C3PAO.)
Alongside the new self-attestation requirements, the other considerable change to the CMMC 2.0 framework is that it moves from a five-level model to a three-level model, eliminating levels 2 and 4 which were found to have little practical use. Moving forward, the required levels will be based on an organization’s contract requirements which take into account factors such as information sensitivity, (eg. FCI, ITAR or CUI) on unclassified systems and networks and will be based on the familiar NIST SP 800-171R2 and NIST SP 800-172 standards, depending on the required level. It should be noted that if an organization is already CMMC compliant, the adoption of CMMC 2.0 at their mandated level should be rather straightforward. For organizations that aren’t quite there yet, similarly to CMMC v.1, each level will incorporate increasing levels of complexity requiring a higher level of security.
The first level of CMMC 2.0 is titled “Foundational” and is frequently referred to simply as “Level 1”. It requires an annual self-assessment with 17 included required practices but falls short with what most cybersecurity professionals would consider a minimum standard of security, as it does not follow many established best practices.
The second level of CMMC 2.0, titled “Advanced” is similar to the current level 3 of CMMC. This incorporates NIST SP 800-171R2 controls as the standard but may provide some confusion as there are two categories of this level. The first applies to a limited subset of organizations that will have to provide an annual self-assessment and self-attestation. Most organizations will fall under what is starting to be called “2 High” with organizations falling into the “2 High” category being required to conduct a third-party assessment every three years. The NIST SP 800-171R2 standard should be familiar to most DIBs as this has been part of their contract obligations for several years and to some, may feel like a return to normal.
The third level of CMMC 2.0, titled “Expert”, is the most stringent level, similar to the current level 5 of CMMC 1.0. The most notable addition is that of NIST SP 800-172 controls to the already required NIST SP 800-171 controls of level 2. Similarly to the previous level, this level has triennial third-party assessment requirements.
Despite all these proposed changes, and as previously stated, the CMMC 2.0 is a draft standard that is not expected to become finalized until late summer 2022 at the earliest, and possibly as late as May 2023. When the draft standard is approved, compliance will become law for those companies who handle CUI and/or FCI information for the U.S. government and will fall under Part 32 of the Code of Federal Regulations (C.F.R.) as well as DFARS in CFR Part 48. While CMMC 2.0 has not yet been codified, it is undeniably coming and for most organizations, NIST SP 800-171 is a current reality that many have fallen short of implementing in full. Few, if any changes associated with CMMC 2.0 are expected at this time but making sure your company is ready should be a priority, from a cybersecurity best practices standpoint and of equal importance, to fulfill your contractual obligations. In short, despite the proposed changes to the CMMC’s model, it’s of the utmost importance that DIB contractors maintain their trajectory toward becoming fully NIST SP 800-171 compliant so once the CMMC changes are adopted, they can fulfill those requirements on day 1. These requirements cannot be achieved overnight and based on our experience, most organizations (depending on their current posture) take between 6 – 18 months to get themselves compliant and ready for their C3PAO assessments. It’s critical to keep in mind that these proposed changes shouldn’t be perceived as an opportunity to delay your CMMC implementation strategy as once these changes are approved, you will be held accountable to those standards.