CMMC - Cybersecurity Maturity Model Certification - has been a much-discussed topic in cybersecurity this year. Theft of intellectual property and sensitive information from all industrial sectors as a result of malicious cyber activity threatens economic security and national security.
This reality creates the need for enhanced security measures and certification (verification) for all businesses in the Defense Industrial Base (DIB). The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust, by adding a verification component (Certification) with respect to cybersecurity requirements. A "crawl, walk, run" approach is being introduced to phase in requirements from now through 2026.
The original CMMC plan included included five levels of maturity, and certification for all business in the defense supply chain. We've previously published a comprehensive list of resources: https://www.ekaru.com/cmmc-resources
On November 4th, the DoD announced major changes to the CMMC program following a six-month internal program review. As a CMMC Registered Practitioner (RP) I participated in a briefing yesterday with the CMMC Accreditation Board (CMMC-AB) to learn about the changes ahead.
The changes are prompted by 4 general objectives:
- Clarify and streamline the CMMC model and make it more accessible.
- Ease the cost burden of CMMC to industry, especially for small and medium businesses
- Address CMMC Ecosystem scalability (are there enough assessors?)
- Instill greater trust and confidence in the CMMC Ecosystem.
The CMMC 2.0 Primary Proposed Changes:
- CMMC Model - Previously FIVE levels, now THREE levels
- Level 1: (Foundational) Self attestation by Defense Industrial Base (DIB) companies. Third party assessments have now been eliminated. 17 Security Practices.
- Level 2: (Advanced) Will be bifurcated as a prioritization measure.
- High Priority contracts - will require third-party assessments
- Lower Priority contracts - will only require self-attestation. (For now. It is predicted that eventually all Level 2 will require assessments).
- Level 3: (Expert) Will require assessments. 110+ Security Practices.
- Eliminate CMMC-unique practices and the DOD will work closely with NIST to identify gaps in NIST SP 800-171
- Waivers will be allowed on a limited basis. The previous model was pass/fail, but now progress can be demonstrated.
The CMMC requirement has introduced a lot of stress for small businesses who don't have vast resources to meet requirements. The main driver of CMMC was that self-assessment wasn't working well enough, so on the one hand this looks like a step backwards for security, but really the changes are a matter of practicality. The cost was too high for SMBs, and there aren't nearly enough C3PAOs (Certified Third Party Assessment Organizations) in the market place to support up to 300,000 companies seeking certification. Note that going forward, though, self attestation may only be completed by senior company officials (CEO, CFO, etc.) to step up the commitment.
The Federal rulemaking process may require anywhere from 9 to 24 months, so there may be more changes ahead. Bottom line, Cybersecurity is foundational and should never be compromised along with cost, schedule, and performance, but there also needs to be a scalable and affordable way to make progress.