But, the Department of Defense (DoD or Department) issued a press release on November 4, 2021, indicating its intent to suspend CMMC 1.0 (as the original version was called) and replace it with CMMC 2.0. This is major news because defense contractors, and the DoD at large, have struggled to implement CMMC 1.0 since it became effective just over a year ago.
In short, defense contractors should be aware that CMMC 2.0 is essentially a leaner and more flexible version of CMMC 1.0, which we have previously discussed in our June 15, 2020 CMMC client alert, and in a subsequent client alert analyzing the CMMC pilot program and certification reciprocity. The DoD’s press release and Advanced Notice of Proposed Rulemaking make it clear that CMMC 2.0 will make significant changes to its predecessor. Ultimately, Title 32 of the Code of Federal Regulations (C.F.R.) will be amended, and there will be coming changes to Defense Federal Acquisition Regulation Supplement (DFARS) in Title 48 of the C.F.R. According to the DoD, CMMC 2.0 will cut red tape for small and medium-sized businesses, set priorities for protecting DoD information, and reinforce cooperation between the DoD and industry in addressing evolving cyber threats. This alert provides important comparisons between CMMC 1.0 and CMMC 2.0 and discusses how the CMMC 2.0 roll-out will impact your business.
CMMC levels
CMMC 1.0 was intended to measure Defense Industrial Base (DIB) contractors’ cybersecurity processes and practices, which were commonly referred to as a contractor’s cybersecurity “maturity.” Under CMMC 1.0, there were five maturity levels defense contractors could achieve: Basic, Intermediate, Good, Proactive, and Advanced. We have previously provided a brief description of these levels in in our client article on “[h]ow defense contractors can navigate the rising tide of cybersecurity regulations.” Under CMMC 2.0, there will only be three maturity levels: Foundational, Advanced, and Expert. This new structure will eliminate CMMC 1.0 levels 2 (Intermediate) and 4 (Proactive), which served as stepping stones for contractors to achieve CMMC levels 3 and 5 under CMMC 1.0.
It appears that the Foundational Level will apply to companies that process, store, or handle Federal Contract Information (FCI) and that the DoD will allow companies to perform self-assessments to demonstrate compliance. FCI is defined as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public. The Foundational Level will likely also require companies to comply with a limited subset of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls.
At the Advanced Level, compliance will be mandatory for companies that process, store, or transmit Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 “Classified National Security Information” or the Atomic Energy Act, as amended. If the contract also involves information critical to national security, the DOD will require the contractor to obtain a third-party assessment from an organization accredited by the CMMC Accreditation Body; otherwise, the DOD will allow the company to perform a self-assessment. At the Advanced Level, businesses should expect to be fully compliant with the full suite of NIST SP 800-171 requirements.
At the Expert Level, it appears that contractors will be required to comply with NIST SP 800-172 requirements and will likely also be required to undergo an assessment conducted by government officials. The NIST SP 800-172 supplements the requirements imposed by the NIST SP 800-171 by providing 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data. The DoD has indicated that the requirements at this level are still being drafted.
Cybersecurity maturity requirements
Defense contractors working towards CMMC 1.0 certification are well aware of the importance of the NIST SP 800-171, which is essentially a codification of 110 cybersecurity requirements for protecting the confidentiality of CUI that is housed in nonfederal information systems. The NIST SP 800-171 requirements were a key aspect of the CMMC 1.0 framework. In fact, in 2016, long before the development of CMMC 1.0, defense contractors were required to implement NIST SP 800-171 security requirements for all covered contractor information systems. However, because contractor implementation of these requirements was so sporadic, the DoD reiterated the requirement by published guidance in 2017, and via the promulgation of DFARS 252.204-7012 in 2020.
CMMC 2.0 still tracks closely with the NIST SP 800-171, even though it reduces the number of maturity levels from five to three and simplifies the requirements at each of the three remaining levels. For example, the CMMC 2.0, Foundational Level will require the same 17 basic cybersecurity safeguards that were required under CMMC 1.0, Level 1, and the CMMC 2.0 Advanced Level will require defense contractors to meet the 110 requirements imposed by the NIST SP 800-171. In theory, contractors should already be in compliance with CMMC 2.0, Advanced Level because compliance has been a requirement since the 2016 timeframe. CMMC 2.0, Expert Level will ultimately require certain defense contractors to meet NIST SP 800-172 cybersecurity requirements, along with a number of additional requirements that have not yet been disclosed.
Self-assessments, third-party assessments, and DoD assessments
Under CMMC 1.0, a CMMC Third Party Assessment Organization (C3PAO) was required to assess each defense contractor’s cybersecurity maturity and issue a certification of CMMC compliance at the level commensurate with the contractor’s internal cybersecurity controls. Put plainly, self-assessments and attestations were not sufficient at any of the five CMMC 1.0 Levels. However, CMMC 2.0 makes some significant changes in this area by allowing defense contractors to demonstrate compliance by conducting annual self-assessments of Foundational Level compliance. Importantly, an Advanced Level self-assessment will be sufficient for a certain subset of “non-prioritized” acquisitions requiring Advanced Level CMMC 2.0 certification. According to the Office of the Under Secretary of Defense, Acquisition & Sustainment, third-party assessments will only be required for high-priority procurements with national security implications mandating an Advanced Level certification. And for programs that are determined to require an Expert Level 3 certification, defense contractor assessments will be government-led. This change has the potential to address the enormous shortage of C3PAO assessors that existed under the CMMC 1.0 framework, which undoubtedly impacted rollout and application to what would eventually be 300,000 or more defense contractors.
Flexibility
Another difference between the CMMC 1.0 and CMMC 2.0 frameworks worth noting relates to the flexibility of the framework itself. Without question, CMMC 1.0 did not provide a flexible implementation approach. Said plainly, CMMC 1.0 required contractors to implement 100 percent of their security practices before they could be assessed as compliant with the requirements associated with a specific Level. CMMC 2.0 provides defense contractors with some flexibility should they fall short of full compliance at any level. For example, under certain circumstances, contractors are permitted to make Plans of Action & Milestones (POA&Ms) to achieve certification at a given level within a certain timeframe. Notably, a defense contractor using a POA&M will still be required to achieve a certain minimum score to support CMMC certification with POA&Ms. Further, CMMC 2.0 provides for the possibility of obtaining a waiver to its requirements when such waiver is necessary to accomplish mission-critical work. This flexibility was not baked into the CMMC 1.0 framework.
Takeaways
The DoD is moving forward with releasing more information regarding CMMC 2.0 as it becomes available, and we will continue to follow the developments in this area and provide updates on impacts that flow from these developments. Importantly, the DoD has explicitly stated that CMMC 2.0 will not be a contractual requirement until the rulemaking process is complete, which is estimated to take anywhere from nine to 24 months. defense contractors will accordingly have a bit more time to work towards compliance and should not expect to see references to CMMC 2.0 in solicitations and requests for proposals until that time.
Until implementation of CMMC 2.0, all defense contractors and those seeking to become defense contractors should continue to improve their cybersecurity health and wellness. Current requirements still mandate that defense contractors that hold CUI and FCI implement the NIST SP 800-171 standards in most cases and have a current NIST SP 800-171 DoD assessment posted in the Supplier Performance Risk System (SPRS).
Non-U.S. defense contractors should anticipate that the DoD will be working with international stakeholders to establish agreements related to cybersecurity with the goal of ensuring that non-U.S. companies supporting U.S. warfighters will be equipped to safeguard U.S. national security information. The DoD has stated that these agreements will provide a way for the CMMC 2.0 framework to be applied to non-US companies.
Should you have any questions on current guidance and future implementation of CMMC 2.0, please do not hesitate to contact any member of Reed Smith’s team of dedicated attorneys who have authored this alert and who are working collaboratively at the intersection of government contracting, cybersecurity, and data protection.
Client Alert 2021-214