DoD’s CMMC Model version 2.0; what changed?!
Was version 2.0 simply an update to the previous model of Cybersecurity Maturity Model Certification?
The simple answer is NO! The update was more like a saw, than a scalpel for emergency field surgery.
CMMC 2.0 Enhancement
In an update as of Nov 4th, 2021, , the DoD clarified that it is no longer intending to approve inclusion of a CMMC requirement in any near-term contract, prior to completion of the CMMC 2.0 rulemaking process and will suspend all current trailing phases.
Once CMMC 2.0 is fully authorized through the rulemaking process, the DoD will require a certain set of companies, based on contract assignments to adhere to the revised CMMC framework, as well as according to requirements set forth in regulation and that rulemaking process. The timeline for the interim and final ruling of the new specifications for the revamped program would be for a March 2023 interim ruling and then a 60-day comment period with a final ruling in May 2023, with its inclusion into RFx and contract language can be expected to follow-on for the late spring and summer of 2023.
Much of this is on closing the gaps around the CMMC Assessment Process guide (CAP), which isn’t public yet, as the DoD hasn’t finished drafting the rules or submitted them to Office of Mgt and Budget (OMB); so, as things stand there is still uncertainty on how the C3PAO assessment will be run or what precise aspects that are being assessed will align with the ultimate rule, thus dictating the large range of timeline.
Additional highlights from the 2.0 announcement / update:
- The DoD has reduced the levels for the model down from (5) to (3) and provided clarity to their alignment:
- Advanced Level (formerly level 3 - Good) will be the equivalent to NIST SP 800-171 ‘Protecting CUI’ and will contain as many as 110 plus practices.
- Similarly, the Expert level (formerly level 5 – Advanced) will be based on a subset of NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI: Supplement to 800-171) but is still under development.
- Finally, the Foundational level (formerly level 1 – Basic) would be based on the contractor ‘annual self-audit’ for the 17 practices.
- If implemented, these proposed changes would align with many industries’ recommendations to leverage existing standards rather than introducing new ones.
- Levels 2 & 4 have been removed from the 2.0 version and no longer be a consideration or tracked (see below):
Further changes included within CMMC 2.0:
- Removing CMMC-unique practices and all maturity processes from the CMMC Model
- Allowing annual self-assessments with an annual affirmation by DIB company leadership for CMMC Level 1 “Basic”
- Bifurcating CMMC Level 3 requirements into either identified / prioritized acquisitions that handle CUI would require independent assessment <and> non-prioritized acquisitions, requiring annual self-assessment and company affirmation that follow current DoD acquisition protocols
- Development of a time-bound and enforceable ‘Plan of Action and Milestone’ (POA&M) process, as well as a time-bound ‘waiver process’ if needed or approved, allowing contractors that do not meet every security control the time necessary to prove that they will in the future
- This is a very important feature to accommodate for POA&Ms, as it’s been a challenging point for many in the DIB, as failure to meet a control in an inspection would have meant a contractor could not have worked or successfully been on a contract; so along with the waiver process, the DoD has provided several means to still make contracts accessible to not only larger enterprises within the DIB community, but also SMB while reducing potential strain on the assessors.
- POA&Ms will be allowed for 180 days under CMMC 2.0, however:
- CMMC 2.0 will not allow POA&Ms for some of the highest-weighted requirements.
- DoD will establish a “minimum score” to support certification with POA&Ms.
- CMMC Accreditation Body has been rebranded; a “Doing Business As” (DBA) name, meaning that functionally nothing will change for the organization, other than its name and website (cyberab.org). The move, however, will allow the Cyber AB to protect both its name and trademark while clearing up confusion about whether the was a government entity relationship to the DoD and so on.
These updates will be continually followed and highlighted here on Tech Zone, but ultimately these enhancements, once invoked timeline-wise by the DoD, should help the industry streamline control mapping to practices, as well as leverage previous framework and security measures already taken by agencies from organizations, such as NIST / FedRAMP and thus, without re-inventing another wheel. However, there has still NOT been a clear decision on the reciprocity of the use of Cloud Service Providers (CSPs) like VMware, to be provided such an opportunity to help the DIB companies reach compliance with CMMC, although the DoD leadership has mentioned the potential of using cloud service offerings that could help companies achieve many of the 110 controls in NIST 800-171 or all of them through the GSA’s FedRAMP program, reducing complexity, expense and time.
CMMC is intended to ensure that all members of the defense supply chain are applying standardized cybersecurity and risk management practices in order to protect sensitive unclassified information.
VMware continues to support contractors and vendors within the Defense Industrial Base (DIB) supply-chain that need to conduct self-assessments or prepare for certification and assessment by a CMMC Third Party Assessment Organization (C3PAO) by our identified solutions, including those that are already and that overlay the controls from NIST's SP 800-53 FISMA, but those in the SP 800-171, Protecting CUI, as would align the necessary documentation of controls that would be in place to meet the audit.
For further Zero-Trust and Cybersecurity assets on Tech Zone, see:
- Incorporating VMware Zero-Trust for the Presidential Executive Order
- VMware's Tech Zone Zero Trust Cybersecurity Portal