CMMC 2.0 – What, How, and Why Act Now?

Coalfire Assessment Team

November 23, 2021
Blog Images 2021 CMMC listview

With the recent streamlining of the Cybersecurity Maturity Model Certification (CMMC) framework, the path to assure Defense Industrial Base (DIB) cybersecurity has changed dramatically from what was originally planned. There’s a lot to learn about CMMC 2.0, but the objective remains the same: protect sensitive defense information from theft by our adversaries. The plan to achieve that objective now recognizes the challenges of fielding a small army of third-party assessors over a compressed timeframe and the business impact and cost on small and medium-sized DIB organizations. CMMC 1.0 described a vision for the DoD supply chain that created virtual vaults to secure Controlled Unclassified Information (CUI). CMMC 2.0 provides a path for organizations to achieve that vision over a reasonable period of time rather than all at once, and prevents “perfect” from becoming the enemy of “good and consistently improving.”

What’s changed?

CMMC 2.0 streamlines the model by reducing the number of levels from five to three:

Organizations that only handle Federal Contract Information (FCI) must still achieve Level 1 where all (17) controls remain intact. The updates recognize the difficulty of assembling, training, and certifying that army of individuals to assess the estimated 300,000+ FCI suppliers, so those organizations can now annually self-assess and self-attest under CMMC 2.0. This also reduces the cost of assessment for these suppliers.

Organizations that handle CUI must satisfy CMMC 2.0 Level 2 requirements, which now mirror NIST SP 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The (20) “delta” controls in the original CMMC framework have been removed, as have the maturity processes. Some Level 2 procurements that involve critical nation security information will be deemed prioritized, and those will require suppliers to triennially achieve CMMC 2.0 certification through third-party (C3PAO) assessment. For non-prioritized procurements, suppliers will annually self-assess and self-attest. Initially, a smaller percentage of procurements will be authorized, but expect the balance to shift over time as the pool of certified assessors grows.

Under certain limited conditions, CMMC 2.0 also allows organizations to create Plans of Action and Milestones (POA&Ms) to achieve certification. POA&Ms will be time-limited — requiring execution within 180 days — and controls that are heavily weighted in the DoD’s scoring methodology* will likely be ineligible for a POA&M. Often these are the most challenging to satisfy.

At CMMC 2.0 Level 2, policies and procedures aren’t eliminated. Refer to Exhibit E in NIST Special Publication 800-171 Revision 2. The (61) Non-Federal Organization (NFO) controls listed are expected to be routinely satisfied without specification, and you’ll find policy and procedure requirements, among others, for every control family. The NFO controls won’t be individually assessed, but evidence of satisfying those controls will be. For example, control 3.4.8 requires preventing the use of unauthorized software via policies for blacklisting and whitelisting. Expect to be asked for those policies when 3.4.8 is examined.

What’s staying the same?

DFARS 252-204-7012 will continue to be the law of the land for organizations that handle CUI. The requirement to already be DFARS-compliant has not changed. What will change is the DoD’s enforcement under CMMC 2.0. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is adding capacity to increase the rate of random and selective audits of self-assessments. The DoJ’s recent announcement of its Civil Cyber-Fraud Initiative increases the DoD’s ability to prosecute offenders who willfully falsify self-assessments under the False Claims Act. Expect to see more False Claims Act defendants. Additionally, self-attestation under CMMC 2.0 requires a corporate officer’s signature, making them personally liable for the accuracy of results.

Satisfying CMMC requirements doesn’t change much either. CMMC 2.0 requirements are still hard, still require specialized IT and IS expertise, and still take time and money. Assessment criteria can be found in NIST SP 800-171A, but it isn’t always clear what technically does and does not satisfy individual control requirements, how systems should be configured, and how sophisticated security tools should be implemented.

You may have less time than you think

CMMC 1.0 was going to be gradually phased in through 2026 with less than 25% of the DIB required to achieve CMMC certification before the end of 2025. But the timeline for CMMC 2.0 can be a lot shorter. Once CMMC 2.0 goes into effect, all contracts will require awardees to be compliant with CMMC 2.0 requirements at the time of award. This will be true for both prioritized procurements (compliance certified by a C3PAO) and non-prioritized procurements (compliance self-attested). Any POA&M items will need to be executed within 180 days. Rulemaking in 32 CFR and 48 CFR to implement CMMC 2.0, according to the DoD, could take as little as 9 months and as long as 24 months. Given DoD’s expressed intent to expedite the process, CMMC 2.0 could be implemented before the end of 2022. If interim rules are published, as the DoD did in September 2020 for DFARS 204.252-7019, 7020, and 7021, CMMC 2.0 could potentially be implemented as early as mid-2022.

Key Takeaways

Get compliant now

Since 2017, DFARS 7012 required all contractors, subcontractors and suppliers within the DoD supply chain that receive, create, or handle CUI to satisfy the NIST SP 800-171 requirements. Poor and inconsistent compliance, caused in part by weak enforcement, limited 800-171’s effectiveness in curtailing the theft of CUI from suppliers by foreign adversaries. That stops now. DFARS 252.204-7019 requires submission of an assessment score to the DoD before contract award – which will be enforced. The 7020 clause provides DIBCAC the authority to audit self-assessments. CMMC 2.0 will allow POA&Ms, but time limits POA&M execution.

Satisfying CMMC technical and non-technical requirements takes an average of twelve months for a small-to medium-sized business. With the clock ticking and the possibility of CMMC 2.0 implementation before the end of 2022, it’s essential for every DIB contractor, subcontractor, and supplier to get compliant now.

Get certified by a C3PAO

Under CMMC 2.0, only prioritized procurements at Level 2 require independent C3PAO certification, not non-prioritized and Level 1 procurements. However, all DIB organizations should consider the following three reasons to get certified by a C3PAO:

  1. The DoD is offering incentives. Contractors and subcontractors that have been independently certified represent lower third-party risk to the DoD than those that haven’t. Being among those with third-party certifications will have benefits.
  2. Large primes are also concerned about third-party risk. Not only does third-party certification provide a competitive advantage, but it may also be required more broadly and more quickly by primes to mitigate their third-party risk.
  3. Personal attestation by a corporate officer to the accuracy of a self-assessment creates both entity and personal liability, especially when DoD will be employing the Civil Cyber-Fraud Initiative to add False Claim Act participants. Third-party certification can inoculate executives, officers, and directors from potential personal exposure. Think about the number of CEOs and CFOs charged by the SEC for violating the Sarbanes-Oxley Act. The False Claims Act could prove to be worse.

Work with an advisor

Satisfying CMMC 2.0 is hard, requires specialized IT and IS expertise, and takes time and money. The particulars of what satisfies a CMMC 2.0 requirement can be daunting and ambiguous, especially when it needs to do so from the perspective of a DIBCAC auditor or a third-party assessor. If you are audited, what you thought was good enough may not be. Reduce your risk and limit cost and time required to achieve compliance by choosing an advisor who understands the CMMC 2.0 framework and has the necessary information technology and information security knowledge to guide you in addressing CMMC 2.0 requirements. A word of caution, however. While there are many qualified organizations that can help you through your CMMC journey, there is nothing that prevents a potential advisor from claiming they’re a CMMC expert. Organizations that provide advisory services and who are also certified as a C3PAO understand the framework and how it will be audited or assessed. As Indiana Jones was warned, “choose wisely”.

There’s a lot to get done, and limited time to do it. CMMC v1.0 established a vision. CMMC 2.0 starts a journey to take us there, and one likely to be embraced by other federal agencies in the future. We’re here to help.

* NIST SP 800-171 DoD Assessment Methodology, Version 1.2, June 10, 2020