By Payam Pourkhomami, President & CEO of OSIbeyond
We live in an era where the security of the United States extends far beyond the conventional battlefield. Both state and non-state actors are engaged in hybrid warfare tactics that target physical assets and digital infrastructures. Therefore, robust cybersecurity measures are indispensable for safeguarding national security, protecting sensitive information and ensuring the integrity of defense operations.
The Department of Defense recognizes this evolving landscape and, in response, has been developing the Cybersecurity Maturity Model Certification 2.0. This initiative, which represents the DOD’s latest commitment to enhancing cybersecurity protocols within its contracting community, has recently reached a significant milestone with the publication of the CMMC 2.0 proposed final rule on December 26, bringing us much closer to the formalization of the program across the defense industrial base.
Cybersecurity is one of the major focuses for government chief information officers. Join Potomac Officers Club for the April 17th CIO Summit, which will assemble the most notable CIOs from across the DIB for Q&As, keynote speeches, networking and more. Register here today! Speakers include DOD Principal Deputy CIO Leslie Beavers and Intelligence Community CIO Adele Merritt.
This article intends to help government contractors and senior-level executives navigate the complexities of the CMMC 2.0 program and understand its implications on those working within or alongside the DIB.
Where does the CMMC 2.0 come from?
The CMMC 2.0 program is the culmination of more than two decades of evolving cybersecurity legislation and policy aimed at bolstering the cybersecurity of the DIB.
The groundwork began in 2002 with the Federal Information Security Management Act, which mandated federal agencies to fortify their information security systems. The Cybersecurity Research and Development Act of the same year further reinforced this foundation by providing the necessary funding for cybersecurity research.
Building upon these early efforts, a series of key initiatives, including the Risk Management Project and various NIST special publications, introduced a set of guidelines for federal information systems. These guidelines were instrumental in shaping the cybersecurity landscape and setting the stage for the development of the CMMC program.
A critical turning point came with Executive Order 13556 in 2010. This order established a uniform program for managing controlled unclassified information — a.k.a. CIU — defined as unclassified information that needs to be protected or controlled according to laws, regulations and policies that apply across the government. Before this order, different agencies had unique policies and methods for handling sensitive information, resulting in a disjointed and inconsistent approach to security.
But Executive Order 13556 and other past attempts to standardize and enhance cybersecurity measures faced challenges, particularly in their inconsistent implementation across the diverse landscape of contractors within the DIB. Aware of this problem and its potential consequences, the DOD published an interim rule to the Defense Federal Acquisition Regulation Supplement, or DFARS, in the Federal Register (DFARS Case 2019-D041), implementing the initial vision for the CMMC program.
The initial implementation of CMMC 1.0, which became effective on November 30, 2020, marked a significant step toward a standardized cybersecurity program within the DIB. However, the journey toward an effective and comprehensive model was far from over. The DOD’s commitment to refining and improving the CMMC model led to a comprehensive internal review in March 2021. This review was informed by a substantial volume of public comments and involved a critical assessment of the program’s structure and effectiveness.
Following this review, the DoD announced CMMC 2.0 in November 2021, addressing the challenges and feedback identified during the review process. The revision aimed to enhance the program’s accessibility, particularly for smaller contractors, and to better align it with widely accepted cybersecurity standards. Additionally, CMMC 2.0 incorporated a more flexible approach to compliance.
The path to finalizing CMMC 2.0 encountered delays as the Pentagon considered additional revisions. These delays were part of the DOD’s efforts to ensure that the program was robust and flexible enough to meet the diverse needs of the DIB while effectively countering sophisticated cyber threats. Finally, at the end of 2023, the much-anticipated rule for CMMC 2.0 was published.
What makes the CMMC 2.0 different?
CMMC 2.0 is split into three tiers based on the type of information that companies in the DIB handle. The tiered approach has the following benefits:
- Targeted security measures: Different types of information pose varying levels of risk. The tiered model allows for security measures to be appropriately scaled and targeted so that more sensitive data receives higher protection.
- Flexibility and scalability: The CMMC 2.0 program is adaptable to the size and capability of different contractors. Smaller companies handling less sensitive information can comply with the more achievable requirements of the lower tiers. On the other hand, larger companies or those handling more sensitive data can aim for higher levels.
- Streamlined compliance and assessment: With clearly defined levels, contractors can better understand their specific cybersecurity obligations and prepare accordingly for assessments.
Let’s explore the three tiers to understand their specific criteria and the compliance pathways they offer:
- CMMC level one: This level is intended for contractors exclusively handling federal contract information, or FCI. It requires compliance with 17 key requirements derived from the Federal Acquisition Regulation clause 52.204-21. Notably, with the advent of CMMC 2.0, the assessment process for level one has transitioned to a self-assessment model. This change implies that contractors can internally evaluate compliance with these 17 requirements instead of undergoing third-party assessments.
- CMMC level two: Intended for contractors holding CUI, this level validates the implementation of the 110 requirements contained in NIST SP 800-171 Revision 2. A significant development in CMMC 2.0 for level two is the introduction of the self-assessment option as in CMMC level one. It’s important to note that this self-assessment route may not be practical or applicable for most contractors, as discussed further below. This is especially true for subcontractors working under major prime contractors, as there is no mechanism for these primes to transfer a lower-tier assessment requirement to their subcontractors.
- CMMC level three: This highest tier within the CMMC 2.0 program is reserved for contractors integral to the DOD’s most critical programs and technologies. Typically, contractors selected for a high-level assessment by the Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, are the primary candidates for this level. Level three not only encompasses all the requirements of level two but also adds 24 requirements from NIST SP 800-172. Assessments at this level are directly conducted by the DIBCAC. It’s crucial to recognize that the DIBCAC’s capacity for conducting assessments can limit the number of contracts with a level three requirement, making it a more exclusive tier.
As we’ve already touched upon, the CMMC 2.0 program relies on two distinct types of assessments to meet the needs and realities of contractors at different levels. These assessment types—self-assessment and certification assessment—serve the same purpose (determine a contractor’s adherence to the required cybersecurity practices), but they differ in their application and oversight mechanisms:
- Self-assessment: Used exclusively at CMMC level one and expected to also be adopted by approximately 5 percent of level two contractors, self-assessments allow contractors to annually conduct internal reviews of their compliance with CMMC requirements. These self-assessments require diligent adherence to the CMMC assessment guides and scoring methodology as mandated. The results of these evaluations are then reported within the Supplier Performance Risk System in the same way as the current DOD Assessment Methodology scores are reported per DFARS 7019/7020. Beyond the initial reporting, there’s also a requirement for an annual submission of an affirmation of compliance by senior management. This process fosters a culture of ongoing cybersecurity vigilance and accountability within the contracting entity.
- Certification assessment: As the complexity and sensitivity of the information increase, so does the need for a more rigorous assessment process. This is where triennial certification assessments come into play, expected to be used by the vast majority of CMMC level two and all CMMC level three contractors. For level two, certification assessments are typically carried out by a Certified 3rd Party Assessor Organization, whose job is to provide an external validation of a contractor’s compliance with the required security protocols. At Level 3, this process is taken over directly by the Defense Contract Management Agency’s DIBCAC to reflect the heightened security requirements for contractors engaged in the DOD’s most critical programs.
With the introduction of tiered levels and two types of assessments, the CMMC 2.0 balances rigor with reason. For government contractors, these changes underscore the importance of a proactive cybersecurity posture and offer a clearer path to compliance. The distinct levels and corresponding assessments are designed with an eye toward security and also with consideration for the operational diversity of the contractors they govern.