There has been very little resistance to funding and beginning to implement the Department of Defense’s zero trust cybersecurity strategy, according to Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer David McKeown. This, however, is not as much the case with Cybersecurity Maturity Model Certification, the Pentagon’s tiered method for holding its industrial base partners accountable for the sensitive information shared with them.
Over the last half decade, CMMC, as it’s known, has encountered “many roadblocks,” but McKeown nonetheless praised the “tremendous perseverance” of the department for its ongoing work consolidating and strengthening the program. The official, who is a former winner of the Wash100 Award, shared an update on the progress of CMMC version 2.0 at the Potomac Officers Club’s 2024 Cyber Summit on Thursday.
DOD officials are prone to sharing exclusive updates and insights on forthcoming initiatives at Potomac Officers Club events. Be a part of these closed door conversations at next week’s 2024 Army Summit. This ninth annual U.S. Army-focused gathering is chock full of great speakers and will be well-attended by the who’s who of the government contracting industry. Register now before it’s too late!
McKeown described how the initial project manager of CMMC, the Office of the Under Secretary of Defense for Acquisition & Sustainment, was “in a rush” to get the policy out and deviated from NIST SP 800-171, a well-known and widely used cyber incident reporting framework. OUSD(A&S) included five different clearance levels for CMMC 1.0, which McKeown found to be needlessly complicated.
“When I took this over…we rationalized all of this, that we should stick to 171. And if we need to add extra controls, we work through NIST to add those controls and push those out to the public. We reduced the number of levels to three, and we made those levels make more sense,” McKeown stated.
For companies operating at level 1, which includes contractors with federal information, but no valuable controlled unclassified information, or CUI, that the department “really cares about,” there is now the option for self attestation on 15 controls. Certain companies at level 2 also have this option, as all companies that fall into level 2 deal with some level of CUI, but the DOD is only worried about a portion of it. Those in level 2 that qualify and all of level 1 will not have to pay for an assessment, which is in stark contrast to CMMC 1.0, which charged companies even at the lowest level — “We reduced that burden on those particular DIB partners,” McKeown said.
An estimated 50,000-80,000 companies fall into level 1, and there will be 80,000 companies who will need to pony up and pay for a full third-party assessment from level 2. This leaves level 3 — “our most critical programs and technologies.”
“This goes beyond the third party assessments. You’ll have to do that. But then, we’re going to have the Defense Industrial Base Cybersecurity Assessment Center—the DIBCAC—come in. It’s an organization under [OUSD(A&S)] and they’ll do an assessment for NIST 801-72 on top of your 171 assessment,” McKeown shared.
“If you’ve ever seen 172, there’s more controls in there that are about battling advanced persistent threats. It’s not just about ‘protect the data.’ It’s about doing battle with advanced persistent threats. So, much more rigor for these companies,” he continued.
McKeown estimated that there are roughly 600 companies who will need to submit to this most stringent accreditation process.
He also revealed that the department gathered 2,000 comments in a public call recently and “adjudicated them all.” If all goes well, he said the DOD should be officially rolling CMMC 2.0 out and including it in contract paperwork in the first quarter of calendar year 2025.
